Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Bleedingsnort.com Daily Update

from [matt] Network Security [Permanent Link]
Subject: [Snort-sigs] Bleedingsnort.com Daily Update
Date: Mon, 18 Oct 2004 20:00:01 -0500 

[***] Results from Oinkmaster started Mon Oct 18 20:00:01 2004 [***]

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-malware.rules (9):
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE IE shell access WSH (Windows Script Host)"; 
content:"wsh.Run"; content:"command"; reference: 
url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; nocase; 
classtype:misc-attack; sid:2000516; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE IE shell access WSH (Windows Script Host)"; 
content:"wsh.Run"; content:"command"; 
reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; nocase; 
classtype:misc-attack; sid:2000516; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
IE Object Data vulnerability"; content:"document.body.innerHTML"; 
content:"object"; content:"data"; content:"show"; content:"document.body"; 
reference: url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; 
nocase; classtype:misc-attack; sid:2000517; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
IE Object Data vulnerability"; content:"document.body.innerHTML"; 
content:"object"; content:"data"; content:"show"; content:"document.body"; 
reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; nocase; 
classtype:misc-attack; sid:2000517; rev:1;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE shell browser vulnerability NT/2K"; content:"shell\:winnt"; 
reference: url,www.packetfocus.com/shell_exploit.htm; nocase; 
classtype:misc-attack; sid:2000520; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE shell browser vulnerability NT/2K"; content:"shell\:winnt"; 
reference:url,www.packetfocus.com/shell_exploit.htm; nocase; 
classtype:misc-attack; sid:2000520; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
IE suspicious access to WSH (Windows Script Host)"; content:"object"; 
content:"id"; content:"wsh"; content:"classid"; content:"clsid\:"; 
content:"\/"; content:"object"; reference: 
url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; nocase; 
classtype:misc-attack; sid:2000515; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
IE suspicious access to WSH (Windows Script Host)"; content:"object"; 
content:"id"; content:"wsh"; content:"classid"; content:"clsid\:"; 
content:"\/"; content:"object"; 
reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; nocase; 
classtype:misc-attack; sid:2000515; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
IE homepage hijacking"; content:"wsh.RegWrite"; 
content:"HKLM\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Main\\\\Start 
Page"; reference: url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; 
nocase; classtype:misc-attack; sid:2000514; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
IE homepage hijacking"; content:"wsh.RegWrite"; 
content:"HKLM\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Main\\\\Start 
Page"; reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; 
nocase; classtype:misc-attack; sid:2000514; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
IE Encrypted Jscript (Windows Script Encoder)"; content:"JScript.Encode"; 
content:"Start Encode"; reference: 
url,microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4873-B1B0-21F0626A6329&displaylang=en;
 nocase; classtype:misc-attack; sid:2000518; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
IE Encrypted Jscript (Windows Script Encoder)"; content:"JScript.Encode"; 
content:"Start Encode"; 
reference:url,microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4873-B1B0-21F0626A6329&displaylang=en;
 nocase; classtype:misc-attack; sid:2000518; rev:1;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE Comet Cursor spyware detection"; content:"|53 65 72 76 65 
72|"; content:"|43 6F 6D 65 74|"; reference: 
url,simplythebest.net/info/spyware/comet_cursor_spyware.html; 
classtype:policy-violation; sid:2000551; rev:5;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE Comet Cursor spyware detection"; content:"|53 65 72 76 65 
72|"; content:"|43 6F 6D 65 74|"; 
reference:url,simplythebest.net/info/spyware/comet_cursor_spyware.html; 
classtype:policy-violation; sid:2000551; rev:5;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
IE spyware downloader Microsoft VM vulnerability"; content:"document.write"; 
content:"APPLET"; content:"ActiveXComponent"; reference: 
url,www.giac.org/practical/GCIH/Franklin_Witter_GCIH.pdf; nocase; 
classtype:misc-attack; sid:2000513; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
IE spyware downloader Microsoft VM vulnerability"; content:"document.write"; 
content:"APPLET"; content:"ActiveXComponent"; 
reference:url,www.giac.org/practical/GCIH/Franklin_Witter_GCIH.pdf; nocase; 
classtype:misc-attack; sid:2000513; rev:1;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE shell browser vulnerability W9x/XP"; 
content:"shell\:windows"; reference: url,www.packetfocus.com/shell_exploit.htm; 
nocase; classtype:misc-attack; sid:2000519; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE shell browser vulnerability W9x/XP"; 
content:"shell\:windows"; reference:url,www.packetfocus.com/shell_exploit.htm; 
nocase; classtype:misc-attack; sid:2000519; rev:2;)

     -> Modified active in bleeding-policy.rules (4):
        old: alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE NE 
EXE OS2 file download"; content:"MZ"; isdataat:76,relative; content:"This 
program cannot be run in a DOS session."; isdataat:6,relative; content:"NE"; 
distance:0; reference: 
url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; 
classtype:misc-activity; sid:2000423; rev:3;)
        new: alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE NE 
EXE OS2 file download"; content:"MZ"; isdataat:76,relative; content:"This 
program cannot be run in a DOS session."; isdataat:6,relative; content:"NE"; 
distance:0; 
reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm;
 classtype:misc-activity; sid:2000423; rev:3;)
        old: alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
Download Windows Help File CHM"; content:"ITSF|03|"; isdataat:19,relative; 
content:"|7C 01 FD 10 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC 7C 01 FD 11 7B AA 11 
D0 9E 0C 00 A0 C9 22 E6 EC|"; distance:0; reference: 
url,www.speakeasy.org/~russotto/chm/chmformat.html; reference: 
url,www.securiteam.com/windowsntfocus/6V00N000AU.html; classtype:misc-activity; 
sid:2000489; rev:3;)
        new: alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
Download Windows Help File CHM"; content:"ITSF|03|"; isdataat:19,relative; 
content:"|7C 01 FD 10 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC 7C 01 FD 11 7B AA 11 
D0 9E 0C 00 A0 C9 22 E6 EC|"; distance:0; 
reference:url,www.speakeasy.org/~russotto/chm/chmformat.html; 
reference:url,www.securiteam.com/windowsntfocus/6V00N000AU.html; 
classtype:misc-activity; sid:2000489; rev:3;)
        old: alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE LX 
EXE OS2 file download"; content:"MZ"; isdataat:76,relative; content:"This 
program cannot be run in a DOS session."; isdataat:6,relative; content:"LX"; 
distance:0; reference: 
url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; 
classtype:misc-activity; sid:2000424; rev:3;)
        new: alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE LX 
EXE OS2 file download"; content:"MZ"; isdataat:76,relative; content:"This 
program cannot be run in a DOS session."; isdataat:6,relative; content:"LX"; 
distance:0; 
reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm;
 classtype:misc-activity; sid:2000424; rev:3;)
        old: alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
Download Windows Help File CHM 2"; content:"ITSF|03|"; isdataat:19,relative; 
content:"|10 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC 11 FD 01 7C AA 7B D0 
11 9E 0C 00 A0 C9 22 E6 EC|"; distance:0; reference: 
url,www.speakeasy.org/~russotto/chm/chmformat.html; reference: 
url,www.securiteam.com/windowsntfocus/6V00N000AU.html; classtype:misc-activity; 
sid:2000429; rev:3;)
        new: alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
Download Windows Help File CHM 2"; content:"ITSF|03|"; isdataat:19,relative; 
content:"|10 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC 11 FD 01 7C AA 7B D0 
11 9E 0C 00 A0 C9 22 E6 EC|"; distance:0; 
reference:url,www.speakeasy.org/~russotto/chm/chmformat.html; 
reference:url,www.securiteam.com/windowsntfocus/6V00N000AU.html; 
classtype:misc-activity; sid:2000429; rev:3;)

     -> Modified active in bleeding.rules (26):
        old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 
(msg:"BLEEDING-EDGE MS-SQL SQL Injection line comment"; 
flow:to_server,established; content:"-|00|-|00|"; reference: 
url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference: 
url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; nocase; 
classtype:attempted-user; sid:2000373; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 
(msg:"BLEEDING-EDGE MS-SQL SQL Injection line comment"; 
flow:to_server,established; content:"-|00|-|00|"; 
reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; 
reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; 
nocase; classtype:attempted-user; sid:2000373; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS ASAX source exposed with Alternate Data Stream"; 
content: ".asax\:\:$DATA"; nocase; reference: 
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000533; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS ASAX source exposed with Alternate Data Stream"; 
content: ".asax\:\:$DATA"; nocase; 
reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000533; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"BLEEDING-EDGE PHPNukegeneral XSS attemp"; content:"/modules.php?"; 
content:"name="; uricontent:"SCRIPT"; nocase; pcre:"/<\s*SCRIPT\s*>/iU"; 
reference: url,www.waraxe.us/?modname=sa&id=030; 
classtype:web-application-attack; sid:2001218; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"BLEEDING-EDGE PHPNukegeneral XSS attemp"; content:"/modules.php?"; 
content:"name="; uricontent:"SCRIPT"; nocase; pcre:"/<\s*SCRIPT\s*>/iU"; 
reference:url,www.waraxe.us/?modname=sa&id=030; 
classtype:web-application-attack; sid:2001218; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS SHTML source exposed with Alternate Data Stream"; 
content: ".shtml\:\:$DATA"; nocase; reference: 
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000525; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS SHTML source exposed with Alternate Data Stream"; 
content: ".shtml\:\:$DATA"; nocase; 
reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000525; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 
(msg:"BLEEDING-EDGE MS-SQL SQL Injection closing string plus line comment"; 
flow:to_server,established; content:"'|00|"; content:"-|00|-|00|"; reference: 
url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference: 
url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; nocase; 
classtype:attempted-user; sid:2000488; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 
(msg:"BLEEDING-EDGE MS-SQL SQL Injection closing string plus line comment"; 
flow:to_server,established; content:"'|00|"; content:"-|00|-|00|"; 
reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; 
reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; 
nocase; classtype:attempted-user; sid:2000488; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS PL source exposed with Alternate Data Stream"; 
content: ".pl\:\:$DATA"; nocase; reference: 
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000530; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS PL source exposed with Alternate Data Stream"; 
content: ".pl\:\:$DATA"; nocase; 
reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000530; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
Possible Microsoft asycpict.dll 1.0 Remote JPEG DoS Attack Vulnerability 
Attempt"; content:".jp"; content:"mspert10.cab"; content:"|FF FF FF FF|"; 
nocase; 
reference:url,archives.neohapsis.com/archives/bugtraq/2004-10/0126.html; 
classtype:attempted-dos; sid:2001360; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
Possible Microsoft asycpict.dll 1.0 Remote JPEG DoS Attack Vulnerability 
Attempt"; content:"|4A 46 49 46|"; content:"|11 08 FF FF FF FF|"; nocase; 
reference:url,archives.neohapsis.com/archives/bugtraq/2004-10/0126.html; 
classtype:attempted-dos; sid:2001360; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS IDC source exposed with Alternate Data Stream"; 
content: ".idc\:\:$DATA"; nocase; reference: 
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000526; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS IDC source exposed with Alternate Data Stream"; 
content: ".idc\:\:$DATA"; nocase; 
reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000526; rev:1;)
        old: alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL DOS 
attempt (08) 1 byte"; content:"|08|"; depth:1; dsize:1; reference: 
url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype:attempted-dos; 
sid:2000379; rev:1;)
        new: alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL DOS 
attempt (08) 1 byte"; content:"|08|"; depth:1; dsize:1; 
reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype:attempted-dos; 
sid:2000379; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS IDA source exposed with Alternate Data Stream"; 
content: ".ida\:\:$DATA"; nocase; reference: 
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000529; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS IDA source exposed with Alternate Data Stream"; 
content: ".ida\:\:$DATA"; nocase; 
reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000529; rev:1;)
        old: alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL 
Spike buffer overflow"; content:"|12 01 00 34|"; depth:4; reference: 
url,www.securityfocus.com/bid/5411/exploit; classtype:attempted-admin; 
sid:2000380; rev:1;)
        new: alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL 
Spike buffer overflow"; content:"|12 01 00 34|"; depth:4; 
reference:url,www.securityfocus.com/bid/5411/exploit; 
classtype:attempted-admin; sid:2000380; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS SHTM source exposed with Alternate Data Stream"; 
content: ".shtm\:\:$DATA"; nocase; reference: 
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000524; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS SHTM source exposed with Alternate Data Stream"; 
content: ".shtm\:\:$DATA"; nocase; 
reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000524; rev:1;)
        old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
ICMP PING IPTools"; itype:8; icode:0; content:"|A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 
A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 
A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 
A7 A7|"; depth:64; reference: url,www.ks-soft.net/ip-tools.eng; 
classtype:misc-activity; sid:2000575; rev:1;)
        new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
ICMP PING IPTools"; itype:8; icode:0; content:"|A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 
A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 
A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 
A7 A7|"; depth:64; reference:url,www.ks-soft.net/ip-tools.eng; 
classtype:misc-activity; sid:2000575; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS ASP source exposed with Alternate Data Stream"; 
content: ".asp\:\:$DATA"; nocase; reference: 
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000521; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS ASP source exposed with Alternate Data Stream"; 
content: ".asp\:\:$DATA"; nocase; 
reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000521; rev:1;)
        old: alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL DOS 
bouncing packets"; content:"|0A|"; depth:1; reference: 
url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype:attempted-dos; 
sid:2000381; rev:1;)
        new: alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL DOS 
bouncing packets"; content:"|0A|"; depth:1; 
reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype:attempted-dos; 
sid:2000381; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS STM source exposed with Alternate Data Stream"; 
content: ".stm\:\:$DATA"; nocase; reference: 
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000523; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS STM source exposed with Alternate Data Stream"; 
content: ".stm\:\:$DATA"; nocase; 
reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000523; rev:1;)
        old: alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL DOS 
attempt (08)"; content:"|08|"; depth:1; content:!"|3A|"; depth:1; offset:1; 
dsize:>1; reference: url,www.nextgenss.com/papers/tp-SQL2000.pdf; 
classtype:attempted-dos; sid:2000378; rev:1;)
        new: alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL DOS 
attempt (08)"; content:"|08|"; depth:1; content:!"|3A|"; depth:1; offset:1; 
dsize:>1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; 
classtype:attempted-dos; sid:2000378; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 
(msg:"BLEEDING-EDGE MS-SQL SQL Injection running SQL statements line comment"; 
flow:to_server,established; content:"\;|00|"; content:"-|00|-|00|"; reference: 
url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference: 
url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; nocase; 
classtype:attempted-user; sid:2000372; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 
(msg:"BLEEDING-EDGE MS-SQL SQL Injection running SQL statements line comment"; 
flow:to_server,established; content:"\;|00|"; content:"-|00|-|00|"; 
reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; 
reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; 
nocase; classtype:attempted-user; sid:2000372; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS HTW source exposed with Alternate Data Stream"; 
content: ".htw\:\:$DATA"; nocase; reference: 
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000527; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS HTW source exposed with Alternate Data Stream"; 
content: ".htw\:\:$DATA"; nocase; 
reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000527; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS ASA source exposed with Alternate Data Stream"; 
content: ".asa\:\:$DATA"; nocase; reference: 
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000522; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS ASA source exposed with Alternate Data Stream"; 
content: ".asa\:\:$DATA"; nocase; 
reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000522; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS IDQ source exposed with Alternate Data Stream"; 
content: ".idq\:\:$DATA"; nocase; reference: 
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000528; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS IDQ source exposed with Alternate Data Stream"; 
content: ".idq\:\:$DATA"; nocase; 
reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000528; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS ASPX source exposed with Alternate Data Stream"; 
content: ".aspx\:\:$DATA"; nocase; reference: 
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000532; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS ASPX source exposed with Alternate Data Stream"; 
content: ".aspx\:\:$DATA"; nocase; 
reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000532; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS PHP source exposed with Alternate Data Stream"; 
content: ".php\:\:$DATA"; nocase; reference: 
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000531; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS PHP source exposed with Alternate Data Stream"; 
content: ".php\:\:$DATA"; nocase; 
reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000531; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS CONFIG source exposed with Alternate Data Stream"; 
content: ".config\:\:$DATA"; nocase; reference: 
url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000534; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS  
(msg:"BLEEDING-EDGE WEB-IIS CONFIG source exposed with Alternate Data Stream"; 
content: ".config\:\:$DATA"; nocase; 
reference:url,support.microsoft.com/support/kb/articles/q188/8/06.asp&NoWebContent=1&NoWebContent=1;
 sid:2000534; rev:1;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"BLEEDING-EDGE PHPNuke general SQL injection attempt"; 
content:"/modules.php?"; content:"name="; content:"UNION"; nocase; 
content:"SELECT"; nocase; reference: url,www.waraxe.us/?modname=sa&id=030; 
reference: url,www.waraxe.us/?modname=sa&id=036; 
classtype:web-application-attack ;sid:2001202; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"BLEEDING-EDGE PHPNuke general SQL injection attempt"; 
content:"/modules.php?"; content:"name="; content:"UNION"; nocase; 
content:"SELECT"; nocase; reference:url,www.waraxe.us/?modname=sa&id=030; 
reference:url,www.waraxe.us/?modname=sa&id=036; 
classtype:web-application-attack ;sid:2001202; rev:1;)
        old: alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL 
heap overflow attempt"; content:"|08 3A 31|"; depth:3; reference: 
url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype:attempted-admin; 
sid:2000377; rev:1;)
        new: alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL 
heap overflow attempt"; content:"|08 3A 31|"; depth:3; 
reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; 
classtype:attempted-admin; sid:2000377; rev:1;)

[///]    Modified inactive rules:    [///]

     -> Modified inactive in bleeding-policy.rules (9):
        old: #alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE REG 
files version 5 download"; content:"Windows Registry Editor Version 5.00"; 
content:"|0D 0A|"; content:"["; content:"HKEY_"; reference: 
url,www.ss64.com/nt/regedit.html; nocase;  classtype:misc-activity; 
sid:2000421; rev:3;)
        new: #alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE REG 
files version 5 download"; content:"Windows Registry Editor Version 5.00"; 
content:"|0D 0A|"; content:"["; content:"HKEY_"; 
reference:url,www.ss64.com/nt/regedit.html; nocase;  classtype:misc-activity; 
sid:2000421; rev:3;)
        old: #alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
Executable and linking format (ELF) file download"; content:"|7F|ELF"; 
content:"|00 00 00 00 00 00 00 00|";  reference: 
url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; 
classtype:misc-activity; sid:2000418; rev:3;)
        new: #alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE 
Executable and linking format (ELF) file download"; content:"|7F|ELF"; 
content:"|00 00 00 00 00 00 00 00|";  
reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm;
 classtype:misc-activity; sid:2000418; rev:3;)
        old: #alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXE 
compressed PKWARE Windows file download"; content:"MZ"; isdataat:28,relative; 
content:"PKLITE"; distance:0; reference: 
url,www.program-transformation.org/Transform/PcExeFormat; 
classtype:misc-activity; sid:2000426; rev:3;)
        new: #alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXE 
compressed PKWARE Windows file download"; content:"MZ"; isdataat:28,relative; 
content:"PKLITE"; distance:0; 
reference:url,www.program-transformation.org/Transform/PcExeFormat; 
classtype:misc-activity; sid:2000426; rev:3;)
        old: #alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE PE 
EXE or DLL Windows file download"; content:"MZ"; isdataat:76,relative; 
content:"This program cannot be run in DOS mode."; distance: 0; 
isdataat:10,relative; content:"PE"; distance: 0; reference: 
url,hyatus.dune2.info/Miscellanous/exe_header.html; classtype:misc-activity; 
sid:2000419; rev:3;)
        new: #alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE PE 
EXE or DLL Windows file download"; content:"MZ"; isdataat:76,relative; 
content:"This program cannot be run in DOS mode."; distance: 0; 
isdataat:10,relative; content:"PE"; distance: 0; 
reference:url,hyatus.dune2.info/Miscellanous/exe_header.html; 
classtype:misc-activity; sid:2000419; rev:3;)
        old: #alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE REG 
files version 4 download"; content:"REGEDIT4"; content:"|0D 0A|"; content:"["; 
content:"HKEY_"; reference: url,www.ss64.com/nt/regedit.html; nocase;  
classtype:misc-activity; sid:2000420; rev:3;)
        new: #alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE REG 
files version 4 download"; content:"REGEDIT4"; content:"|0D 0A|"; content:"["; 
content:"HKEY_"; reference:url,www.ss64.com/nt/regedit.html; nocase;  
classtype:misc-activity; sid:2000420; rev:3;)
        old: #alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE NE 
EXE Windows 3.x file download"; content:"MZ"; isdataat:76,relative; 
content:"This program requires Microsoft Windows."; isdataat:10,relative; 
content:"NE"; distance:0; reference: 
url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; 
classtype:misc-activity; sid:2000425; rev:3;)
        new: #alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE NE 
EXE Windows 3.x file download"; content:"MZ"; isdataat:76,relative; 
content:"This program requires Microsoft Windows."; isdataat:10,relative; 
content:"NE"; distance:0; 
reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm;
 classtype:misc-activity; sid:2000425; rev:3;)
        old: #alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE REG 
files version 5 Unicode download"; content:"W|00|i|00|n|00|d|00|o|00|w|00|s|00| 
|00|R|00|e|00|g|00|i|00|s|00|t|00|r|00|y|00| |00|E|00|d|00|i|00|t|00|o|00|r|00| 
|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00| |00|5|00|.|00|0|00|0|00|"; content:"|0D 
0A|"; content:"[|00|"; content:"H|00|K|00|E|00|Y|00|_|00|"; reference: 
url,www.ss64.com/nt/regedit.html; nocase;  classtype:misc-activity; 
sid:2000422; rev:3;)
        new: #alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE REG 
files version 5 Unicode download"; content:"W|00|i|00|n|00|d|00|o|00|w|00|s|00| 
|00|R|00|e|00|g|00|i|00|s|00|t|00|r|00|y|00| |00|E|00|d|00|i|00|t|00|o|00|r|00| 
|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00| |00|5|00|.|00|0|00|0|00|"; content:"|0D 
0A|"; content:"[|00|"; content:"H|00|K|00|E|00|Y|00|_|00|"; 
reference:url,www.ss64.com/nt/regedit.html; nocase;  classtype:misc-activity; 
sid:2000422; rev:3;)
        old: #alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE ZIP 
file download"; content:"PK|0304|"; byte_test: 1, <=, 0x14, 0, string, hex; 
distance: 0; content:"|00 00 00|"; distance: 0; reference: 
url,zziplib.sourceforge.net/zzip-parse.print.html;classtype:misc-activity; 
sid:2000428; rev:3;)
        new: #alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE ZIP 
file download"; content:"PK|0304|"; byte_test: 1, <=, 0x14, 0, string, hex; 
distance: 0; content:"|00 00 00|"; distance: 0; 
reference:url,zziplib.sourceforge.net/zzip-parse.print.html;classtype:misc-activity;
 sid:2000428; rev:3;)
        old: #alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE PE 
EXE Install Windows file download"; content:"MZ"; isdataat:76,relative; 
content:"This program must be run under Win32"; distance:0; 
isdataat:140,relative; content:"PE"; distance:0; reference: 
url,www.program-transformation.org/Transform/PcExeFormat; 
classtype:misc-activity; sid:2000427; rev:3;)
        new: #alert tcp !$HOME_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE PE 
EXE Install Windows file download"; content:"MZ"; isdataat:76,relative; 
content:"This program must be run under Win32"; distance:0; 
isdataat:140,relative; content:"PE"; distance:0; 
reference:url,www.program-transformation.org/Transform/PcExeFormat; 
classtype:misc-activity; sid:2000427; rev:3;)

     -> Modified inactive in bleeding.rules (7):
        old: #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 
(msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an 
OR 4"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; 
content:"L|00|I|00|K|00|E|00|"; content:"'|00|'|00|"; reference: 
url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference: 
url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; 
classtype:attempted-user; sid:2000492; rev:3;)
        new: #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 
(msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an 
OR 4"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; 
content:"L|00|I|00|K|00|E|00|"; content:"'|00|'|00|"; 
reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase;
 classtype:attempted-user; sid:2000492; rev:3;)
        old: #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 
(msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an 
OR 2"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; 
content:">|00|"; content:"'|00|'|00|"; reference: 
url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference: 
url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; 
classtype:attempted-user; sid:2000490; rev:2;)
        new: #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 
(msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an 
OR 2"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; 
content:">|00|"; content:"'|00|'|00|"; 
reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase;
 classtype:attempted-user; sid:2000490; rev:2;)
        old: #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 
(msg:"BLEEDING-EDGE MS-SQL SQL Injection trying to guess the column name"; 
flow:to_server,established; content:"'|00|"; content:"+|00|"; reference: 
url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference: 
url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; nocase; 
classtype:attempted-user; sid:2000374; rev:1;)
        new: #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 
(msg:"BLEEDING-EDGE MS-SQL SQL Injection trying to guess the column name"; 
flow:to_server,established; content:"'|00|"; content:"+|00|"; 
reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; 
reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; 
nocase; classtype:attempted-user; sid:2000374; rev:1;)
        old: #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 
(msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an 
OR 3"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; 
content:"<|00|"; content:"'|00|'|00|"; reference: 
url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference: 
url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; 
classtype:attempted-user; sid:2000491; rev:3;)
        new: #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 
(msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an 
OR 3"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; 
content:"<|00|"; content:"'|00|'|00|"; 
reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase;
 classtype:attempted-user; sid:2000491; rev:3;)
        old: #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 
(msg:"BLEEDING-EDGE MS-SQL SQL Injection running SQL statements NO line 
comment"; flow:to_server,established; content:"'|00|"; content:"'|00|'|00|"; 
reference: url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; 
reference: url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; 
nocase; classtype:attempted-user; sid:2000376; rev:1;)
        new: #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 
(msg:"BLEEDING-EDGE MS-SQL SQL Injection running SQL statements NO line 
comment"; flow:to_server,established; content:"'|00|"; content:"'|00|'|00|"; 
reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; 
reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; 
nocase; classtype:attempted-user; sid:2000376; rev:1;)
        old: #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 
(msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an 
OR 5"; flow:to_server,established; 
content:"'|00|'|00|";content:"O|00|R|00|";content:"B|00|E|00|T|00|W|00|E|00|E|00|N|00|";
 content:"'|00|'|00|"; reference: 
url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference: 
url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; 
classtype:attempted-user; sid:2000493; rev:3;)
        new: #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 
(msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an 
OR 5"; flow:to_server,established; 
content:"'|00|'|00|";content:"O|00|R|00|";content:"B|00|E|00|T|00|W|00|E|00|E|00|N|00|";
 content:"'|00|'|00|"; 
reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase;
 classtype:attempted-user; sid:2000493; rev:3;)
        old: #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 
(msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an 
OR"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; 
content:"=|00|"; content:"'|00|'|00|"; reference: 
url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference: 
url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase; 
classtype:attempted-user; sid:2000375; rev:3;)
        new: #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 
(msg:"BLEEDING-EDGE MS-SQL SQL Injection allowing empty or wrong inputwith an 
OR"; flow:to_server,established; content:"'|00|'|00|";content:"O|00|R|00|"; 
content:"=|00|"; content:"'|00|'|00|"; 
reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf;reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html;nocase;
 classtype:attempted-user; sid:2000375; rev:3;)

[*] Non-rule line modifications: [*]
    None.

[*] Added files: [*]
    None.



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] FP for NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt: sid 2383 -- the real one, Russell Fulton
Next by Date:  Re: [Snort-sigs] reporting false positives..., Matt Jonkman
Previous by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, matt
Next by Thread:  [Snort-sigs] Bleedingsnort.com Daily Update, matt
Indexes:  [Date] [Thread] [Top] [All Lists]