Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
77 lines (74 sloc) 16.5 KB
#*************************************************************
# Copyright (c) 2003-2012, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
##### Existing Rules
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Java Client HTTP Request"; flow:established,to_server; content:" Java/1."; http_user_agent; flowbits:set,ET.http.javaclient; flowbits:noalert; classtype:misc-activity; sid:2013035; rev:2;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; content:" Java/1.6.0_"; http_user_agent; content:!"37"; within:2; http_user_agent; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011582; rev:24;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.7.x Detected"; flow:established,to_server; content:" Java/1.7.0_0"; http_user_agent; content:!"9"; within:1; http_user_agent; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2014297; rev:13;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File Magic Bytes Flowbit Set"; flow:to_client,established; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; within:8; content:!".msi"; flowbits:set,OLE.CompoundFile; flowbits:noalert; classtype:protocol-command-decode; sid:2012520; rev:7;)
#####
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"LUAJIT test - match XORed binary"; flowbits:isset,ET.http.javaclient.vulnerable; flowbits:isnotset,ET.http.binary; luajit:suri-xor-binary-detect.lua; filestore:response; sid:379000001; rev:4;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT CURRENT_EVENTS XORed binary via Java"; flowbits:isset,ET.http.javaclient; flowbits:isnotset,ET.http.binary; luajit:suri-xor-binary-quick.lua; filestore:response; classtype:trojan-activity; sid:379000001; rev:5;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT CURRENT_EVENTS Suspicious Jar"; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; depth:2; luajit:suri-suspicious-jar2.lua; filestore:response; classtype:trojan-activity; sid:379000002; rev:2;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT CURRENT_EVENTS Suspicious Jar via vulnerable client"; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"PK"; depth:2; luajit:suri-suspicious-jar2.lua; filestore:response; classtype:trojan-activity; sid:379000003; rev:2;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT zip test - Blackhole 2.x <name>[abc].class Jar"; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; depth:2; luajit:suri-bh2-abc-jar.lua; filestore:response; sid:379000004; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT CURRENT_EVENTS XORed-non-zero binary"; flow:from_server,established; file_data; content:"|00 00 00 00 00 00|"; offset:48; depth:54; luajit:suri-xor-non-zero.lua; filestore:response; classtype:trojan-activity; sid:379000005; rev:2;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious Adobe Flash file (Uncompressed)"; flow:from_server,established; file_data; content:"FWS"; depth:3; luajit:suri-suspicious-flash2.lua; classtype:trojan-activity; sid:7016688; rev:5;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious Adobe Flash file (Compressed)"; flow:from_server,established; file_data; content:"CWS"; depth:3; luajit:suri-suspicious-flash2.lua; classtype:trojan-activity; sid:7016687; rev:5;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious Adobe Flash file (Compressed LZMA)"; flow:from_server,established; file_data; content:"ZWS"; depth:3; luajit:suri-suspicious-flash2.lua; classtype:trojan-activity; sid:9016687; rev:5;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious Adobe Flash file (Uncompressed, OLE)"; flow:from_server,established; file_data; flowbits:isset,OLE.CompoundFile; content:"kern"; fast_pattern:only; content:"FWS"; luajit:suri-suspicious-flash2.lua; classtype:trojan-activity; sid:6688; rev:5;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious Adobe Flash file (Compressed, OLE)"; flow:from_server,established; file_data; flowbits:isset,OLE.CompoundFile; content:"CWS"; luajit:suri-suspicious-flash2.lua; classtype:trojan-activity; sid:6687; rev:5;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious Adobe Flash file (Compressed LZMA, OLE)"; flow:from_server,established; file_data; flowbits:isset,OLE.CompoundFile; content:"ZWS"; luajit:suri-suspicious-flash2.lua; classtype:trojan-activity; sid:6689; rev:5;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Suspicious PDF"; flow:from_server,established; file_data; content:"%PDF-"; within:20; luajit:suri-suspicious-pdf.lua; classtype:trojan-activity; sid:99221187; rev:1;)
#
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Probable Styx Acrobat exploit URL"; flow:established,to_server; urilen:>200; content:".pdf"; http_uri; luajit:suri-styx-url.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Probable Styx Java exploit URL"; flow:established,to_server; content:"Java/1"; http_user_agent; urilen:>200; content:".jar"; http_uri; luajit:suri-styx-url.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Probable Styx font exploit URL"; flow:established,to_server; urilen:>200; content:".eot"; http_uri; luajit:suri-styx-url.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Probable Styx URL"; flow:established,to_server; urilen:>200; content:".html"; http_uri; luajit:suri-styx-url.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000010; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT CURRENT_EVENTS Reversed compressed binary via Java"; flow:from_server,established; flowbits:isset,ET.http.javaclient; file_data; content:"|78|"; fast_pattern:only; pcre:"/\x78$/R"; luajit:suri-reversed-compressed-binary.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000011; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible SilverLight Exploit CVE-2013-0074"; flow:from_server,established; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; nocase; luajit:CVE-2013-0074.lua; classtype:trojan-activity; sid:379000012; rev:2;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Probable Nuclear landing URL"; flow:established,to_server; urilen:>40; content:".html"; http_uri; pcre:"/^\/[a-f0-9A-Z\-\_]+(\/\d+\/[0-9a-f]{32})?\.html$/U"; luajit:suri-nuclear-url.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000013; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT suspicious pack200-ed JAR file"; flow:from_server,established; flowbits:isset,ET.http.javaclient; file_data; content:"|1f 8b 08 00|"; depth:4; luajit:suri-suspicious-pack200jar.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000017; rev:1;)
alert tls any any -> any any (msg:"ET LUAJIT TLS HEARTBLEED malformed heartbeat record"; flow:established,to_server; dsize:>7; content:"|18 03|"; depth:2; byte_test:1,<,4,2; luajit:tls-heartbleed.lua; classtype:misc-attack; sid:378000017; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT PPT with oleObject contaning INF from SMB Probably CVE-2014-4114"; flow:established,from_server; file_data; content:"ppt/embeddings/oleObject"; luajit:CVE-2014-4114.lua; sid:14919911; rev:1; classtype:attempted-admin;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Possible Regin Init CnC Beacon TCP"; flow:established,to_server; content:"A"; depth:1; content:"AAA"; distance:1; within:4; luajit:suri-regin.lua; reference:url,symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf; reference:url,securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf; classtype:trojan-activity; sid:379000018; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Possible Regin Init CnC Beacon UDP"; content:"A"; depth:1; content:"AAA"; distance:1; within:4; luajit:suri-regin.lua; reference:url,symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf; reference:url,securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf; classtype:trojan-activity; sid:379000019; rev:1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET LUAJIT Possible Regin Init CnC Beacon ICMP"; itype:8; content:"A"; depth:1; content:"AAA"; distance:1; within:4; luajit:suri-regin.lua; reference:url,symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf; reference:url,securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf; classtype:trojan-activity; sid:379000020; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT MS Office Word Doc Memory Corruption Vulnerability CVE-2015-1641"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"word/document.xml"; distance:0; nocase; luajit:CVE-2015-1641.lua; reference:cve,2015-1641; classtype:attempted-admin; sid:379000021; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT MS Office Word Doc Use After Free Vulnerability CVE-2015-1650"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"word/numbering.xml"; distance:0; nocase; luajit:CVE-2015-1650.lua; reference:cve,2015-1650; classtype:attempted-admin; sid:379000022; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible RIG XORed binary"; flow:from_server,established; content:"Content-Type|3a| application/x-msdownload"; http_header; file_data; content:!"MZ"; within:2; luajit:suri-xor-binary-quick.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000023; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible Nuclear XORed binary"; flow:from_server,established; content:"Content-Disposition|3a| inline|3b| filename=|0d 0a|"; http_header; file_data; content:!"MZ"; within:2; luajit:suri-xor-binary-quick.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000024; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT suspicious VBE"; flow:from_server,established; file_data; content:"#@~^"; luajit:suri-suspicious-vbe.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000025; rev:2;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT MS Office Word Doc Use After Free Vulnerability CVE-2015-1770"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"/activeX/activeX"; nocase; fast_pattern; pcre:"/^\d+\.xml/Ri"; luajit:CVE-2015-1770.lua; reference:cve,2015-1770; classtype:attempted-admin; sid:379000026; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT WEB_CLIENT Possible Adobe Flash CVE-2015-3113 in FLV"; flow:established,from_server; file_data; content:"FLV"; within:3; byte_test:1,&,4,1,relative; luajit:CVE-2015-3113.lua; reference:cve,2015-3113; classtype:attempted-admin; sid:379000027; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible MS Office Excel Doc ASLR Bypass Vulnerability CVE-2015-2375"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"xl/tables/table"; distance:0; content:".xml"; distance:0; luajit:CVE-2015-2375.lua; reference:cve,2015-2375; classtype:attempted-admin; sid:379000028; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible MS Office Excel Memory Corruption Vulnerability CVE-2015-2377"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"xl/charts/"; distance:0; fast_pattern; content:".xml"; distance:0; luajit:CVE-2015-2377.lua; reference:cve,2015-2377; classtype:attempted-admin; sid:379000029; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible OpenType Font Driver Vulnerability CVE-2015-2426"; flow:established,from_server; file_data; content:"GPOS"; within:520; fast_pattern; luajit:CVE-2015-2426.lua; reference:cve,2015-2426; classtype:attempted-admin; sid:379000030; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible MS Office Excel Doc Memory Corruption Vulnerability CVE-2015-2558"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"xl/workbook.xml"; fast_pattern:only; luajit:CVE-2015-2558.lua; reference:cve,2015-2558; classtype:attempted-admin; sid:379000031; rev:1;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO possible .jpg download by VBA macro"; flow:established,to_server; content:"GET"; http_method; content:".jpg"; http_uri; content:!"Referer|3A|"; http_header; content:!"Accept-Language|3A|"; http_header; content:"Accept|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; depth:102; fast_pattern:82,20; http_header; pcre:"/\.jpg(?:\?\d+)?$/U"; flowbits:set,ET.vba-jpg-dl; flowbits:noalert; classtype:trojan-activity; sid:2022220; rev:2;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Xbagging encrypted macro XOR-ed payload"; flow:from_server,established; flowbits:isset,ET.vba-jpg-dl; file_data; content:!"|ff d8 ff|"; within:3; luajit:suri-xbagging-xor.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000033; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Xbagging encrypted macro XOR-ed payload (2)"; flow:from_server,established; flowbits:isset,ET.vba-jpg-dl; file_data; content:!"|ff d8 ff|"; within:3; luajit:suri-xor-binary-quick.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000034; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT Possible PPT LoadLibrary dll Inclusion CVE-2015-6132 CVE-2015-6133"; flow:established,from_server; file_data; content:"ppt/embeddings/oleObject"; luajit:CVE-2015-6132.lua; reference:cve,2015-6132; reference:cve,2015-6133; classtype:attempted-admin; sid:379000035; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT MS Office Word Doc Use After Free Vulnerability CVE-2016-0056"; flow:established,from_server; file_data; content:"PK|03 04|"; content:"word/_rels/webSettings.xml.rels"; distance:0; nocase; luajit:CVE-2016-0056.lua; reference:cve,2016-0056; classtype:attempted-admin; sid:30300056; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET LUAJIT XORed binary from .exe URI with no referer"; flow:from_server,established; flowbits:isset,exe.no.referer; file_data; content:!"MZ"; within:2; luajit:suri-xor-binary-quick.lua; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:379000036; rev:1;)