ids_rules_parser 0.2.0

data/Manifest

@@ -0,0 +1,10 @@
+README.markdown
+Rakefile
+bin/ids_rules_parser
+ids_rules_parser.gemspec
+lib/ids_rules.treetop
+lib/ids_rules_parser.rb
+test/ids_rules_parser_test.rb
+test/rules/emerging-attack_response.rules
+test/rules/test2.rules
+Manifest

data/README.markdown

@@ -0,0 +1,75 @@
+Suricata IDS/IPS Rules Parser
+===========
+
+A treetop grammar for turning the weird and whacky IDS/IPS rules used by Snort and Suricata into an array of hashes.
+
+Features
+--------
+
+
+Rules are of the format
+
+    alert PROTO HOMENET HOMEPORTS -> EXTNET EXTPORTS (KEY_VALUE_PAIRS)
+
+This grammar will parse the rules and them in to
+
+    [
+      {:application => {:protocol => PROTO,
+                        :src_hosts => HOMENET,
+                        :src_ports => HOMEPORTS,
+                        :dst_hosts => EXTNET,
+                        :dst_ports => EXTPORTS}
+       :signature =>   {:key1 => :value1,
+                        :key2 => :value2,
+                        .........}
+       },
+       ....
+    ]
+
+Examples
+--------
+
+    require 'rubygems'
+    require 'treetop'
+    Treetop.require 'rules'
+    parser = RulesParser.new
+    parser.parse(some_rule_data)
+
+Requirements
+------------
+
+  Treetop
+
+Install
+-------
+
+  gem install ids_rules_parser
+
+Author
+------
+
+Original authors: Xavier Lange, Kris Barrett
+
+License
+-------
+
+Copyright (c) 2011 Xavier Lange and Kris Barrett
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,14 @@
+require 'rubygems'
+require 'rake'
+require 'echoe'
+
+Echoe.new('ids_rules_parser', '0.2.0') do |p|
+	p.description = "A PEG/Treetop Compatible Grammar for IDS/IPS Rules"
+	p.url         = "https://github.com/krisbarrett/suricata_rules_parser"
+	p.author      = "Kris Barrett"
+	p.email       = "krisbarrett@gmail.com"
+	p.ignore_pattern = ["tmp/*", "script/*"]
+	p.development_dependencies = []
+end
+
+Dir["#{File.dirname(__FILE__)}/tasks/*.rake"].sort.each {|ext| load ext}

data/bin/ids_rules_parser

@@ -0,0 +1,56 @@
+#!/usr/bin/env ruby
+$LOAD_PATH << ::File.expand_path(::File.dirname(__FILE__)) + "/../lib"
+require 'rubygems'
+require 'bundler'
+require 'pp'
+Bundler.require if File.exists?("./Gemfile")
+require 'ids_rules_parser'
+require 'json'
+
+if ARGV.empty?
+  puts "usage: ids_rules_parser path/to/rules/file"
+  exit(1)
+end
+
+# Parse each file
+file_list = ARGV.collect {|x| Dir.glob(x)}
+file_list.flatten!
+file_list.uniq!
+file_list.each do |filename|
+	# Setup parser
+	parser = IDSRulesParser.new
+	parser.consume_all_input = true
+
+	# Open input file
+	puts filename
+	file = File.open(filename, 'r')
+		
+	# Open output file
+	File.open(filename+".json",'w') do |writer|
+		begin
+			client_friendly_data = {}
+			while((contents = file.gets) != nil)
+				# Process a line of input
+				rule_data = parser.parse(contents).process
+				
+				# Output rule information to json file
+				rule_data.each do |x|
+					# Extract key
+					gid = x[:signature]["gid"]
+					if(gid.nil?) then
+						gid = "1"
+					end
+					sid = x[:signature]["sid"]
+					rev = x[:signature]["rev"]
+					key = gid + "." + sid + "." + rev
+					
+					# Merge all data into a single hash
+					client_friendly_data.merge!(key => x)
+				end
+			end
+			# Conver to json and output to json file
+			writer.puts (client_friendly_data.to_json)
+		end
+	end
+end
+exit(1)

data/ids_rules_parser.gemspec

@@ -0,0 +1,33 @@
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{ids_rules_parser}
+  s.version = "0.2.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Kris Barrett"]
+  s.date = %q{2011-03-30}
+  s.default_executable = %q{ids_rules_parser}
+  s.description = %q{A PEG/Treetop Compatible Grammar for IDS/IPS Rules}
+  s.email = %q{krisbarrett@gmail.com}
+  s.executables = ["ids_rules_parser"]
+  s.extra_rdoc_files = ["README.markdown", "bin/ids_rules_parser", "lib/ids_rules.treetop", "lib/ids_rules_parser.rb"]
+  s.files = ["README.markdown", "Rakefile", "bin/ids_rules_parser", "ids_rules_parser.gemspec", "lib/ids_rules.treetop", "lib/ids_rules_parser.rb", "test/ids_rules_parser_test.rb", "test/rules/emerging-attack_response.rules", "test/rules/test2.rules", "Manifest"]
+  s.homepage = %q{https://github.com/krisbarrett/suricata_rules_parser}
+  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Ids_rules_parser", "--main", "README.markdown"]
+  s.require_paths = ["lib"]
+  s.rubyforge_project = %q{ids_rules_parser}
+  s.rubygems_version = %q{1.3.7}
+  s.summary = %q{A PEG/Treetop Compatible Grammar for IDS/IPS Rules}
+  s.test_files = ["test/ids_rules_parser_test.rb"]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+    else
+    end
+  else
+  end
+end

data/lib/ids_rules.treetop

@@ -0,0 +1,133 @@
+require 'rubygems'
+require 'treetop'
+require 'pp'
+
+grammar IDSRules
+  rule rules_file
+    (complete_sig / comment / empty_line)*
+    {
+        def process
+            elements.collect do |x|
+                x.process
+            end.select do |x|
+                !x.nil?
+            end
+        end
+    }
+  end
+  rule comment
+    "#" comment_text:(![\n] .)* "\n"
+    {
+        def process
+            nil
+        end
+    }
+  end
+  rule empty_line
+    ((!"\n" [\s])+)? "\n"
+    {
+        def process
+            nil
+        end
+    }
+  end
+  rule complete_sig
+    app sig
+    {
+        def process
+            app_processed = app.process
+            sig_processed = sig.process
+            return {:application => app_processed, :signature => sig_processed}
+        end
+    }
+  end
+  rule app
+    "alert" space proto space src_host:hosts space src_port:ports space direction space dst_host:hosts space dst_port:ports space
+    {
+        def process
+            return {:protocol => proto.text_value,
+                    :src_hosts => src_host.text_value,
+                    :src_ports => src_port.text_value,
+                    :dst_hosts => dst_host.text_value,
+                    :dst_ports => dst_port.text_value,
+                    :direction => direction.text_value}
+        end
+    }
+  end
+  rule sig
+    "(" values:(lone_key / key_value_pair)+ ")"
+    {
+        def process
+            collection = values.elements.inject({}) do |hash,x|
+                hash.merge!(x.process)
+                hash
+            end
+            collection
+        end
+    }
+  end
+  rule key_value_pair
+    #space? key ":" value:(quoted_value/value) ";"
+    space? key ":" value:((quoted_value)/(value)) space?
+    {
+        def process
+            return {key.process => value.process}
+        end
+    }
+  end
+  rule key
+    [\w]+
+    {
+        def process
+            text_value
+        end
+    }
+  end
+  rule lone_key
+    space? key ";"
+    {
+        def process
+            return {key.text_value => nil}
+        end
+    }
+  end
+  rule value
+    #(!"\;" .)* ";"
+    the_value:((!";" value_char)*) ";"
+    {
+        def process
+            the_value.text_value
+        end
+    }
+  end
+  rule quoted_value # for future ref
+    # ("\"" (!unescaped_quote .)* "\";")
+    "\"" the_value:(!"\";" .)* "\";"
+    {
+        def process
+            the_value.text_value
+        end
+    }
+  end
+  rule unescaped_quote
+    !(!"[" "\"")
+  end
+  rule space
+    [\s]+
+  end
+  rule proto
+    "tcp" / "udp" / "icmp" / "ip"
+  end
+  rule hosts
+    (!" " .)* / "any"
+  end
+  rule ports
+    (!" " .)* / "any"
+  end
+  rule direction
+    "->" / "<>" / "<-"
+  end
+rule value_char
+    ("\\" .) / .
+  end
+end

data/lib/ids_rules_parser.rb

@@ -0,0 +1,7 @@
+require 'treetop'
+Treetop.require 'ids_rules'
+
+
+module IdsRulesParser
+end
+

data/test/ids_rules_parser_test.rb

@@ -0,0 +1,11 @@
+$: << "../lib"
+
+require 'rubygems'
+require 'test/unit'
+require 'bundler'
+Bundler.require
+
+class IDSRulesParserTest < Test::Unit::TestCase
+  def setup
+  end
+end

data/test/rules/emerging-attack_response.rules

@@ -0,0 +1,239 @@
+#
+# $Id: emerging-attack_response.rules,v 1.3817 2010/07/08 07:16:10 jonkman Exp $
+#
+# Emerging Threats attack response rules. 
+#
+# SID's are 2000000+ to avoid conflicts
+#
+# More information available at www.emergingthreats.net
+#
+# Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
+#
+#*************************************************************
+#
+#  Copyright (c) 2003-2010, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#
+#by Jaime Blasco
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE HTTP 401 Unauthorized"; flow:from_server,established; content:"HTTP/1."; depth:7; content:" 401"; within:5; threshold: type both, count 1, seconds 300, track by_dst; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2009345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_401_Unauthorized; sid:2009345; rev:5;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack"; flow:from_server,established; content:"HTTP/1."; depth:7; content:" 401"; within:5; threshold:type both, track by_dst, count 30, seconds 60; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2009346; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_401_Unauthorized; sid:2009346; rev:5;)
+
+#by David Wharton
+#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Request"; flow:established,from_server; content:"Thanks Snailsor,FuYu,BloodSword"; classtype:web-application-activity; reference:url,doc.emergingthreats.net/2009146; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_ASPXSpy; sid:2009146; rev:2;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Related Activity"; flow:established,from_server; content:"public string Password|3D 22|21232f297a57a5a743894a0e4a801fc3|22 3B|"; nocase; classtype:web-application-activity; reference:url,doc.emergingthreats.net/2009147; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_ASPXSpy; sid:2009147; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Upload Attempt"; flow:established,to_server; content:"public string Password|3D 22|21232f297a57a5a743894a0e4a801fc3|22 3B|"; nocase; classtype:web-application-activity; reference:url,doc.emergingthreats.net/2009149; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_ASPXSpy; sid:2009149; rev:2;)
+
+#by Jaime Blasco
+alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET ATTACK_RESPONSE Cisco TclShell TFTP Read Request"; content:"|00 01 74 63 6C 73 68 2E 74 63 6C|"; classtype:bad-unknown; reference:url,wwww.irmplc.com/downloads/whitepapers/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf; reference:url,doc.emergingthreats.net/2009244; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Cisco_TCL_Shell; sid:2009244; rev:2;)
+alert udp $EXTERNAL_NET 69 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Cisco TclShell TFTP Download"; content:"|54 63 6C 53 68 65 6C 6C|"; classtype:bad-unknown; reference:url,wwww.irmplc.com/downloads/whitepapers/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf; reference:url,doc.emergingthreats.net/2009245; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Cisco_TCL_Shell; sid:2009245; rev:2;)
+
+#by Jaime Blasco
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Bindshell2 Decoder Shellcode"; flow:established; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009246; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009246; rev:3;)
+alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Bindshell2 Decoder Shellcode (UDP)"; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009285; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009285; rev:2;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Rothenburg Shellcode"; flow:established; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009247; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009247; rev:3;)
+alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Rothenburg Shellcode (UDP)"; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009284; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009284; rev:2;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Lindau (linkbot) xor Decoder Shellcode"; flow:established; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009248; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009248; rev:3;)
+alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Lindau (linkbot) xor Decoder Shellcode (UDP)"; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009283; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009283; rev:2;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Adenau Shellcode"; flow:established; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009249; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009249; rev:3;)
+alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Adenau Shellcode (UDP)"; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009282; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009282; rev:2;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Mainz/Bielefeld Shellcode"; flow:established; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009250; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009250; rev:3;)
+alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Mainz/Bielefeld Shellcode (UDP)"; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009281; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009281; rev:2;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Wuerzburg Shellcode"; flow:established; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009251; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009251; rev:3;)
+alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Wuerzburg Shellcode (UDP)"; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009280; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009280; rev:2;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Schauenburg Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009252; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009252; rev:3;)
+alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Schauenburg Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009279; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009279; rev:2;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Koeln Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009253; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009253; rev:3;)
+alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Koeln Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009278; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009278; rev:2;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Lichtenfels Shellcode"; flow:established; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009254; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009254; rev:3;)
+alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Lichtenfels Shellcode (UDP)"; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009277; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009277; rev:2;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Mannheim Shellcode"; flow:established; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009255; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009255; rev:3;)
+alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Mannheim Shellcode (UDP)"; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009276; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009276; rev:2;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Berlin Shellcode"; flow:established; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009256; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009256; rev:3;)
+alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Berlin Shellcode (UDP)"; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009275; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009275; rev:2;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Leimbach Shellcode"; flow:established; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009257; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009257; rev:3;)
+alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Leimbach Shellcode (UDP)"; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009274; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009274; rev:2;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Aachen Shellcode"; flow:established; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009258; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009258; rev:3;)
+alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Aachen Shellcode (UDP)"; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009273; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009273; rev:2;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Furth Shellcode"; flow:established; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009259; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009259; rev:3;)
+alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Furth Shellcode (UDP)"; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009272; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009272; rev:2;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Langenfeld Shellcode"; flow:established; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009260; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009260; rev:3;)
+alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Langenfeld Shellcode (UDP)"; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009271; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009271; rev:2;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Bonn Shellcode"; flow:established; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009261; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009261; rev:3;)
+alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Bonn Shellcode (UDP)"; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009270; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009270; rev:2;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Siegburg Shellcode"; flow:established; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009262; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009262; rev:3;)
+alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Siegburg Shellcode (UDP)"; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009269; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009269; rev:2;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Plain1 Shellcode"; flow:established; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009263; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009263; rev:3;)
+alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Plain1 Shellcode (UDP)"; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009268; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009268; rev:2;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Plain2 Shellcode"; flow:established; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009264; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009264; rev:3;)
+alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Plain2 Shellcode (UDP)"; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009267; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009267; rev:2;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Bindshell1 Decoder Shellcode"; flow:established; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009265; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009265; rev:3;)
+alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Bindshell1 Decoder Shellcode (UDP)"; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009266; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009266; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET ATTACK_RESPONSE FTP CWD to windows system32 - Suspicious"; flow:established,to_server; content:"CWD C\:\\WINDOWS\\system32\\"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008556; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_FTP; sid:2008556; rev:5;)
+
+#Submitted by Joseph Gama
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK_RESPONSE FTP inaccessible directory access COM1"; flow: established; content:"/COM1/"; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000499; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid:2000499; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK_RESPONSE FTP inaccessible directory access COM2"; flow: established; content:"/COM2/"; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid:2000500; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK_RESPONSE FTP inaccessible directory access COM3"; flow: established; content:"/COM3/"; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000501; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid:2000501; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK_RESPONSE FTP inaccessible directory access COM4"; flow: established; content:"/COM4/"; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000502; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid:2000502; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK_RESPONSE FTP inaccessible directory access LPT1"; flow: established; content:"/LPT1/"; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000503; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid:2000503; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK_RESPONSE FTP inaccessible directory access LPT2"; flow: established; content:"/LPT2/"; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000504; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid:2000504; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK_RESPONSE FTP inaccessible directory access LPT3"; flow: established; content:"/LPT3/"; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000505; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid:2000505; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK_RESPONSE FTP inaccessible directory access LPT4"; flow: established; content:"/LPT4/"; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000506; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid:2000506; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK_RESPONSE FTP inaccessible directory access AUX"; flow: established; content:"/AUX/"; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000507; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid:2000507; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK_RESPONSE FTP inaccessible directory access NULL"; flow: established; content:"/NULL/"; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000508; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid:2000508; rev:8;)
+
+#by Matt Jonkman
+# seeing some worms/trojans use an ftp server with all banners stripped out
+# on off ports to download payload after the initial compromise.
+# Just stats codes, no welcome, etc. Very unique
+# something like:
+#220
+#USER a
+#331
+#PASS a
+#230
+#TYPE I
+#200
+#PORT 10,2,32,214,4,9
+#200
+#RETR msnnmaneger.exe
+#150
+#226
+#QUIT
+#221
+
+#removing a few to simplify
+alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - user"; flow:established,from_server; dsize:>7; content:"USER "; depth:5; offset:0; content:" |0d 0a|"; distance:1; flowbits:noalert; flowbits:set,ET.strippedftpuser; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007715; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP; sid:2007715; rev:6;)
+alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - pass"; flowbits:isset,ET.strippedftpuser; flow:established,from_server; dsize:>7; content:"PASS "; depth:5; offset:0; content:" |0d 0a|"; distance:1; flowbits:set,ET.strippedftppass; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007717; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP; sid:2007717; rev:7;)
+alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - retr"; flowbits:isset,ET.strippedftppass; flow:established,from_server; dsize:>7; content:"RETR "; depth:5; offset:0; tag:session,300,seconds; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007723; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP; sid:2007723; rev:8;)
+
+
+#matt jonkman, info from qru
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.|0d 0a|#|0d 0a|# This file contains the mappings of IP addresses to host names."; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_LMHosts_Download; sid:2008559; rev:4;)
+
+#Matt Jonkman, information from Stephen Gill at Cymru
+alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (StnyFtpd)"; flow:established,from_server; content:"220 StnyFtpd 0wns j0"; offset:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002809; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2002809; rev:5;)
+alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (Reptile)"; flow:established,from_server; content:"220 Reptile welcomes you"; offset:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002810; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2002810; rev:4;)
+alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (Bot Server)"; flow:established,from_server; content:"220 Bot Server (Win32)"; offset:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002811; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2002811; rev:5;)
+alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; distance:0; nocase; classtype:trojan-activity; reference:url,www.warftp.org; reference:url,doc.emergingthreats.net/bin/view/Main/2003464; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2003464; rev:4;)
+alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (freeFTPd)"; flow:established,from_server; content:"220 "; content:"--freeFTPd "; depth:40; distance:0; nocase; classtype:trojan-activity; reference:url,www.freeftp.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003465; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2003465; rev:4;)
+
+#Matt Jonkman, off port ftp banners
+alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner on High Port (WinFtpd)"; flow:established,from_server; dsize:<18; content:"220 WinFtpd"; depth:11; offset:0; nocase; classtype:trojan-activity; tag:session,300,seconds; reference:url,doc.emergingthreats.net/bin/view/Main/2007725; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2007725; rev:5;)
+alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd)"; flow:established,from_server; dsize:<30; content:"220 StnyFtpd"; depth:12; offset:0; nocase; classtype:trojan-activity; tag:session,300,seconds; reference:url,doc.emergingthreats.net/bin/view/Main/2007726; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2007726; rev:5;)
+
+#by Jaime Blasco
+alert tcp any [21,1024:] -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (fuckFtpd)"; flow:established,from_server; dsize:<18; content:"220 fuckFtpd"; depth:12; offset:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009210; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2009210; rev:3;)
+alert tcp any [21,1024:] -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (NzmxFtpd)"; flow:established,from_server; dsize:<18; content:"220 NzmxFtpd"; depth:12; offset:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009211; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2009211; rev:3;)
+
+#by josh smith
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Matahari client"; flow:to_server,established; content:"Accept|2d|Encoding|3a 20|identity|0d 0a|"; pcre:"/Content\x2dSalt\x3a\x20[0-9\.\-]+\x0d\x0a/iR"; content:"Next|2d|Polling"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010795; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Matahari; sid:2010795; rev:4;)
+
+#by Kevin Ross
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File Download Detected"; flow:to_client,established; content:"stdapi_fs_stat"; depth:54; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009558; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009558; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Process List (ps) Command Detected"; flow:to_client,established; content:"stdapi_sys_process_get_processes"; depth:65; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009559; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009559; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Getuid Command Detected"; flow:to_client,established; content:"stdapi_sys_config_getuid"; depth:65; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009560; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009560; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Process Migration Detected"; flow:to_client,established; content:"core_migrate"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009561; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009561; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter ipconfig Command Detected"; flow:to_client,established; content:"stdapi_net_config_get_interfaces"; depth:65; threshold: type threshold, track by_src, count 2, seconds 4; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009562; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009562; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Sysinfo Command Detected"; flow:to_client,established; content:"stdapi_sys_config_sysinfo"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009563; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009563; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Route Command Detected"; flow:to_client,established; content:"stdapi_net_config_get_route"; depth:62; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009564; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009564; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Kill Process Command Detected"; flow:to_client,established; content:"stdapi_sys_process_kill"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009565; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009565; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Print Working Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_getwd"; depth:55; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009566; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009566; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter View Current Process ID Command Detected"; flow:to_client,established; content:"stdapi_sys_process_getpid"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009567; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Execute Command Detected"; flow:to_client,established; content:"stdapi_sys_process_execute"; depth:62; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009568; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009568; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter System Reboot/Shutdown Detected"; flow:to_client,established; content:"stdapi_sys_power_exitwindows"; depth:62; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009569; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009569; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter System Get Idle Time Command Detected"; flow:to_client,established; content:"stdapi_ui_get_idle_time"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009570; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009570; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Make Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_mkdir"; depth:55; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009571; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009571; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Remove Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_delete_dir"; depth:57; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009572; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009572; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Change Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_chdir"; depth:57; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009573; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009573; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter List (ls) Command Detected"; flow:to_client,established; content:"stdapi_fs_ls"; depth:52; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009574; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009574; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter rev2self Command Detected"; flow:to_client,established; content:"stdapi_sys_config_rev2self"; depth:52; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009575; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009575; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Enabling/Disabling of Keyboard Detected"; flow:to_client,established; content:"stdapi_ui_enable_keyboard"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009576; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009576; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Enabling/Disabling of Mouse Detected"; flow:to_client,established; content:"stdapi_ui_enable_mouse"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009577; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009577; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File/Memory Interaction Detected"; flow:to_client,established; content:"stdapi_fs_file_expand_path"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009578; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009578; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Registry Interation Detected"; flow:to_client,established; content:"stdapi_registry_create_key"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009579; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009579; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File Upload Detected"; flow:to_client,established; content:"core_channel_write"; depth:50;classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009580; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009580; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Channel Interaction Detected, Likely Interaction With Executable"; flow:to_client,established; content:"core_channel_interact"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009651; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009651; rev:3;)
+
+
+#by shirkdog
+alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host"; flow:established; content:"metsrv.dll|00|MZ"; depth:13; content:"!This program cannot be run in DOS mode."; distance:75; within:40; classtype:successful-admin; reference:url,doc.emergingthreats.net/2009581; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009581; rev:3;)
+
+#by Varga-Perke Balint
+alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host"; flow:established; content:"|40 00 41 00 42 0043 00 44 00 6d 65 74 73 72 76 2e 64 6c 6c 00 49 6e 69 74 00 5f 52 65 66 6c 65 63 74 69 76 65 4c 6f 61|"; classtype:successful-admin; reference:url,doc.emergingthreats.net/2010454; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2010454; rev:3;)
+
+#Submitted by Joel Esler
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK_RESPONSE IRC - Nick change on non-std port"; flow: to_server,established; dsize: <64; content:"NICK "; nocase; offset: 0; depth: 5; tag: session,300,seconds; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000345; rev:8;)
+alert tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg: "ET ATTACK_RESPONSE IRC - Name response on non-std port"; flow: to_client,established; dsize: <128; content:"|3a|"; offset: 0; depth: 1; content:" 302 "; content:"=+"; content:"@"; tag: session,300,seconds; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000346; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000346; rev:9;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK_RESPONSE IRC - Private message on non-std port"; flow: to_server,established; dsize: <128; content:"PRIVMSG "; nocase; offset: 0; depth: 8; tag: session,300,seconds; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000347; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000347; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK_RESPONSE IRC - Channel JOIN on non-std port"; flow: to_server,established; dsize: <64; content:"JOIN "; nocase; offset: 0; depth: 5; tag: session,300,seconds; pcre:"/&|#|\+|!/R"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000348; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK_RESPONSE IRC - DCC file transfer request on non-std port"; flow: to_server,established; content:"PRIVMSG "; nocase; offset: 0; depth: 8; content:" |3a|.DCC SEND"; nocase; tag: session,300,seconds; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000349; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000349; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK_RESPONSE IRC - DCC chat request on non-std port"; flow: to_server,established; content:"PRIVMSG "; nocase; offset: 0; depth: 8; content:" |3a|.DCC CHAT chat"; nocase; tag: session,300,seconds; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000350; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000350; rev:9;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK_RESPONSE IRC - channel join on non-std port"; flow: to_server,established; content:"JOIN |3a| #"; nocase; offset: 0; depth: 8; tag: session,300,seconds; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000351; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000351; rev:9;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK_RESPONSE IRC - dns request on non-std port"; flow: to_server,established; content:"USERHOST "; nocase; offset: 0; depth: 9; tag: session,300,seconds; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000352; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000352; rev:8;)
+#Erik Fichtner
+alert tcp $HOME_NET any -> any 6667 (msg: "ET ATTACK_RESPONSE Likely Botnet Activity"; flowbits:isset,is_proto_irc; flow:to_server,established; content:"PRIVMSG"; nocase; tag: session,50,packets; pcre:"/(cheguei gazelas|meh que tao|Status|Tempo|Total pacotes|Total bytes|M?dia de envio|portas? aberta)/i"; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2001620; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2001620; rev:7;)
+
+#By Chris Norton
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Outbound PHP Connection"; flow: established,to_server; content:"From\: anon@anon.com"; nocase; offset: 0; depth: 19; content:"User-Agent\: PHP"; nocase; classtype: web-application-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001628; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Outbound_PHP_Fopen; sid:2001628; rev:7;)
+
+#by Cees Elzinga
+#note: most effective with a deep flow depth, or 0
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE r57 phpshell footer detected"; flow:established,from_server; content:"r57shell - http-shell by RST/GHC"; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003535; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2003535; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK_RESPONSE r57 phpshell source being uploaded"; flow:established,to_server; content:"/*  (c)oded by 1dt.w0lf"; content:"/*  RST/GHC http"; distance:0; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2003536; rev:8;)
+
+#by Ryan Macdonald of R-fx networks (www.rfxn.com)
+#those commented out are more prone to false positives. They'll be more reliable in a web-only environment
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE x2300 phpshell detected"; flow:established,from_server; content:"x2300 Locus7Shell"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007651; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007651; rev:5;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE c99shell phpshell detected"; flow:established,from_server; content:"c99shell"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007652; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007652; rev:5;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE RFI Scanner detected"; flow:established,from_server; content:"RFI Scanner"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007653; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007653; rev:5;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE C99 Modified phpshell detected"; flow:established,from_server; content:"C99 Modified"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007654; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007654; rev:5;)
+#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE lila.jpg phpshell detected"; flow:established,from_server; content:"CMD PHP"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007655; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007655; rev:5;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE ALBANIA id.php detected"; flow:established,from_server; content:"UNITED ALBANIANS aka ALBOSS PARADISE"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007656; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007656; rev:5;)
+#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007657; rev:5;)
+
+#by Christian Teutenberg
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Backdoor reDuh http initiate"; flow:to_server,established; uricontent:"?action=checkPort&port="; content:"|0d 0a|User-Agent|3A|"; nocase; content:"Java/"; distance:0; reference:url,www.sensepost.com/labs/tools/pentest/reduh; reference:url,doc.emergingthreats.net/2011667; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Reduh; classtype:trojan-activity; sid:2011667; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Backdoor reDuh http tunnel"; flow:to_server,established; uricontent:"?action=getData&servicePort="; content:"|0d 0a|User-Agent|3A|"; nocase; content:"Java/"; distance:0; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.sensepost.com/labs/tools/pentest/reduh; reference:url,doc.emergingthreats.net/2011668; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Reduh; classtype:trojan-activity; sid:2011668; rev:3;)
+
+#by Adam Ellison
+# Detects the old style weak and crackable windows auth in use. By default this should not be in
+# active use, but can be forced by hostile parties by a number of methods
+alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Weak Netbios Lanman Auth Challenge Detected"; flow:from_server; content:"|ff 53 4d 42|"; content:"|00 11 22 33 44 55 66 77 88|"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2006417; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Short_Lanman_Auth_Challenge; sid:2006417; rev:8;)
+
+#for a windows cmd shell opened on a local box
+alert tcp $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible MS CMD Shell opened on local system"; flow:established; dsize:<110; content:"Microsoft Windows "; depth:20; content:"Copyright 1985-20"; distance:0; content:"Microsoft Corp"; distance:0; content:"|0a 0a|C|3a 5c|WINDOWS|5c|"; distance:0; classtype:successful-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2008953; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Windows_Shell; sid:2008953; rev:8;)
+
+#by Kevin Ross
+#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible Ipconfig Information Detected in HTTP Response"; flow:from_server,established; content:"Windows IP Configuration"; content:"Ethernet adapter Local Area Connection"; distance:8; within:40; classtype:successful-recon-limited; reference:url,en.wikipedia.org/wiki/Ipconfig; reference:url,doc.emergingthreats.net/2009675; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Windows_Shell; sid:2009675; rev:3;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ipconfig Response Detected"; flow:from_server,established; content:"Windows IP Configuration"; content:"Ethernet adapter Local Area Connection"; offset:35; distance:8; depth:55; classtype:successful-recon-limited; reference:url,en.wikipedia.org/wiki/Ipconfig; reference:url,doc.emergingthreats.net/2009676; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Windows_Shell; sid:2009676; rev:3;)
+
+#By Erik Fichtner
+alert tcp $HOME_NET any -> 213.219.122.11/32 $HTTP_PORTS (msg: "ET ATTACK_RESPONSE Zone-H.org defacement notification"; flow: established,to_server; content:"notify_"; nocase; pcre:"/notify_(defacer|domain|hackmode|reason)=/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001616; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Zone-h_Defacement; sid:2001616; rev:9;)
+
+#by Matt Jonkman
+alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg: "ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (linux style)"; flow:established,from_server; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; classtype:misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002034; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd; sid:2002034; rev:8;)
+alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg: "ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (BSD style)"; flow:established,from_server; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; classtype:misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003071; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd; sid:2003071; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (linux style)"; flow:established,from_server; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; classtype:misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003149; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd; sid:2003149; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (BSD style)"; flow:established,from_server; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; classtype:misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003150; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd; sid:2003150; rev:4;)
+

data/test/rules/test2.rules

@@ -0,0 +1,4 @@
+    
+# i am a comment
+
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE HTTP 401 Unauthorized"; flow:from_server,established; content:"HTTP/1."; depth:7; content:" 401"; within:5; threshold: type both, count 1, seconds 300, track by_dst; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2009345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_401_Unauthorized; sid:2009345; rev:5;)

metadata

@@ -0,0 +1,82 @@
+--- !ruby/object:Gem::Specification 
+name: ids_rules_parser
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 0
+  - 2
+  - 0
+  version: 0.2.0
+platform: ruby
+authors: 
+- Kris Barrett
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-03-30 00:00:00 -07:00
+default_executable: 
+dependencies: []
+
+description: A PEG/Treetop Compatible Grammar for IDS/IPS Rules
+email: krisbarrett@gmail.com
+executables: 
+- ids_rules_parser
+extensions: []
+
+extra_rdoc_files: 
+- README.markdown
+- bin/ids_rules_parser
+- lib/ids_rules.treetop
+- lib/ids_rules_parser.rb
+files: 
+- README.markdown
+- Rakefile
+- bin/ids_rules_parser
+- ids_rules_parser.gemspec
+- lib/ids_rules.treetop
+- lib/ids_rules_parser.rb
+- test/ids_rules_parser_test.rb
+- test/rules/emerging-attack_response.rules
+- test/rules/test2.rules
+- Manifest
+has_rdoc: true
+homepage: https://github.com/krisbarrett/suricata_rules_parser
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --line-numbers
+- --inline-source
+- --title
+- Ids_rules_parser
+- --main
+- README.markdown
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 1
+      - 2
+      version: "1.2"
+requirements: []
+
+rubyforge_project: ids_rules_parser
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: A PEG/Treetop Compatible Grammar for IDS/IPS Rules
+test_files: 
+- test/ids_rules_parser_test.rb