unified2 0.1.1
Sign up to get free protection for your applications and to get access to all the features.
- data/.document +3 -0
- data/.rspec +1 -0
- data/.yardopts +1 -0
- data/ChangeLog.rdoc +9 -0
- data/LICENSE.txt +20 -0
- data/README.rdoc +61 -0
- data/Rakefile +39 -0
- data/example/classification.config +67 -0
- data/example/example.rb +43 -0
- data/example/gen-msg.map +391 -0
- data/example/sid-msg.map +15806 -0
- data/example/unified2 +0 -0
- data/gemspec.yml +14 -0
- data/lib/unified2/classification.rb +14 -0
- data/lib/unified2/construct.rb +54 -0
- data/lib/unified2/core_ext/string.rb +8 -0
- data/lib/unified2/core_ext.rb +1 -0
- data/lib/unified2/event.rb +315 -0
- data/lib/unified2/event_ip4.rb +26 -0
- data/lib/unified2/event_ip6.rb +23 -0
- data/lib/unified2/exceptions/file_not_found.rb +4 -0
- data/lib/unified2/exceptions/file_not_readable.rb +4 -0
- data/lib/unified2/exceptions/unknown_load_type.rb +4 -0
- data/lib/unified2/exceptions.rb +2 -0
- data/lib/unified2/packet.rb +16 -0
- data/lib/unified2/payload.rb +32 -0
- data/lib/unified2/primitive/ipv4.rb +19 -0
- data/lib/unified2/primitive.rb +1 -0
- data/lib/unified2/record_header.rb +10 -0
- data/lib/unified2/sensor.rb +26 -0
- data/lib/unified2/signature.rb +24 -0
- data/lib/unified2/version.rb +4 -0
- data/lib/unified2.rb +206 -0
- data/spec/spec_helper.rb +5 -0
- data/spec/unified2_spec.rb +8 -0
- data/unified2.gemspec +15 -0
- metadata +148 -0
data/.document
ADDED
data/.rspec
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
--colour --format documentation
|
data/.yardopts
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
--markup rdoc --title "unified2 Documentation" --protected
|
data/ChangeLog.rdoc
ADDED
data/LICENSE.txt
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
Copyright (c) 2011 mephux
|
2
|
+
|
3
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
4
|
+
a copy of this software and associated documentation files (the
|
5
|
+
"Software"), to deal in the Software without restriction, including
|
6
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
7
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
8
|
+
permit persons to whom the Software is furnished to do so, subject to
|
9
|
+
the following conditions:
|
10
|
+
|
11
|
+
The above copyright notice and this permission notice shall be
|
12
|
+
included in all copies or substantial portions of the Software.
|
13
|
+
|
14
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
15
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
16
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
17
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
18
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
19
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
20
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.rdoc
ADDED
@@ -0,0 +1,61 @@
|
|
1
|
+
= unified2
|
2
|
+
|
3
|
+
* {Homepage}[https://github.com/mephux/unified2]
|
4
|
+
* {Documentation}[https://github.com/mephux/unified2]
|
5
|
+
|
6
|
+
== Description
|
7
|
+
|
8
|
+
A ruby interface for unified2 output. rUnified2 allows you to manipulate unified2 output for custom storage and/or analysis.
|
9
|
+
|
10
|
+
== Features
|
11
|
+
|
12
|
+
* Monitor unified2 logs and manipulate the data.
|
13
|
+
* Modular adaptor support (monogdb, mysql, postgresql, sguil etc..)
|
14
|
+
* Parse unified2 log files
|
15
|
+
* Numerous connivence methods for statistical analysis
|
16
|
+
|
17
|
+
== Examples
|
18
|
+
|
19
|
+
require 'unified2'
|
20
|
+
|
21
|
+
# load rules into memory
|
22
|
+
Unified2.configuration do
|
23
|
+
# Sensor Configurations
|
24
|
+
sensor :id => 1, :name => 'Test Sensor', :interface => 'en1'
|
25
|
+
|
26
|
+
# Load signatures, generators & classifications into memory
|
27
|
+
load :signatures, 'sid-msg.map'
|
28
|
+
load :generators, 'gen-msg.map'
|
29
|
+
load :classifications, 'classification.config'
|
30
|
+
end
|
31
|
+
|
32
|
+
# Unified2#watch
|
33
|
+
# Watch a unified2 file for changes and process the results.
|
34
|
+
Unified2.watch('/var/log/snort/merged.log', :last) do |event|
|
35
|
+
next if event.signature.name.blank?
|
36
|
+
|
37
|
+
puts "#{event.id} | #{event.ip_destination} | #{event.ip_source} | #{event.signature.name}"
|
38
|
+
puts event.payload.dump(:width => 30)
|
39
|
+
puts event.classification.name
|
40
|
+
end
|
41
|
+
|
42
|
+
# Unified2#read
|
43
|
+
# Parse a unified2 file and process the results.
|
44
|
+
Unified2.read('/var/log/snort/merged.log') do |event|
|
45
|
+
puts "#{event.id} | #{event.ip_destination} | #{event.ip_source} | #{event.signature.name}"
|
46
|
+
end
|
47
|
+
|
48
|
+
== Requirements
|
49
|
+
|
50
|
+
* bindata ~> 1.3.1
|
51
|
+
* hexdump: ~> 0.1.0
|
52
|
+
|
53
|
+
== Install
|
54
|
+
|
55
|
+
$ gem install unified2
|
56
|
+
|
57
|
+
== Copyright
|
58
|
+
|
59
|
+
Copyright (c) 2011 Dustin Willis Webber
|
60
|
+
|
61
|
+
See LICENSE.txt for details.
|
data/Rakefile
ADDED
@@ -0,0 +1,39 @@
|
|
1
|
+
require 'rubygems'
|
2
|
+
require 'rake'
|
3
|
+
|
4
|
+
begin
|
5
|
+
gem 'ore-tasks', '~> 0.5.0'
|
6
|
+
require 'ore/tasks'
|
7
|
+
|
8
|
+
Ore::Tasks.new
|
9
|
+
rescue LoadError => e
|
10
|
+
STDERR.puts e.message
|
11
|
+
STDERR.puts "Run `gem install ore-tasks` to install 'ore/tasks'."
|
12
|
+
end
|
13
|
+
|
14
|
+
begin
|
15
|
+
gem 'rspec', '~> 2.4'
|
16
|
+
require 'rspec/core/rake_task'
|
17
|
+
|
18
|
+
RSpec::Core::RakeTask.new
|
19
|
+
rescue LoadError => e
|
20
|
+
task :spec do
|
21
|
+
abort "Please run `gem install rspec` to install RSpec."
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
task :test => :spec
|
26
|
+
task :default => :spec
|
27
|
+
|
28
|
+
begin
|
29
|
+
gem 'yard', '~> 0.6.0'
|
30
|
+
require 'yard'
|
31
|
+
|
32
|
+
YARD::Rake::YardocTask.new
|
33
|
+
rescue LoadError => e
|
34
|
+
task :yard do
|
35
|
+
abort "Please run `gem install yard` to install YARD."
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
task :doc => :yard
|
@@ -0,0 +1,67 @@
|
|
1
|
+
# $Id: classification.config,v 1.4 2010/04/15 19:53:02 mwatchinski Exp $
|
2
|
+
# The following includes information for prioritizing rules
|
3
|
+
#
|
4
|
+
# Each classification includes a shortname, a description, and a default
|
5
|
+
# priority for that classification.
|
6
|
+
#
|
7
|
+
# This allows alerts to be classified and prioritized. You can specify
|
8
|
+
# what priority each classification has. Any rule can override the default
|
9
|
+
# priority for that rule.
|
10
|
+
#
|
11
|
+
# Here are a few example rules:
|
12
|
+
#
|
13
|
+
# alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow";
|
14
|
+
# dsize: > 128; classtype:attempted-admin; priority:10;
|
15
|
+
#
|
16
|
+
# alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
|
17
|
+
# content:"expn root"; nocase; classtype:attempted-recon;)
|
18
|
+
#
|
19
|
+
# The first rule will set its type to "attempted-admin" and override
|
20
|
+
# the default priority for that type to 10.
|
21
|
+
#
|
22
|
+
# The second rule set its type to "attempted-recon" and set its
|
23
|
+
# priority to the default for that type.
|
24
|
+
#
|
25
|
+
|
26
|
+
#
|
27
|
+
# config classification:shortname,short description,priority
|
28
|
+
#
|
29
|
+
|
30
|
+
config classification: not-suspicious,Not Suspicious Traffic,3
|
31
|
+
config classification: unknown,Unknown Traffic,3
|
32
|
+
config classification: bad-unknown,Potentially Bad Traffic, 2
|
33
|
+
config classification: attempted-recon,Attempted Information Leak,2
|
34
|
+
config classification: successful-recon-limited,Information Leak,2
|
35
|
+
config classification: successful-recon-largescale,Large Scale Information Leak,2
|
36
|
+
config classification: attempted-dos,Attempted Denial of Service,2
|
37
|
+
config classification: successful-dos,Denial of Service,2
|
38
|
+
config classification: attempted-user,Attempted User Privilege Gain,1
|
39
|
+
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
|
40
|
+
config classification: successful-user,Successful User Privilege Gain,1
|
41
|
+
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
|
42
|
+
config classification: successful-admin,Successful Administrator Privilege Gain,1
|
43
|
+
|
44
|
+
|
45
|
+
# NEW CLASSIFICATIONS
|
46
|
+
config classification: rpc-portmap-decode,Decode of an RPC Query,2
|
47
|
+
config classification: shellcode-detect,Executable Code was Detected,1
|
48
|
+
config classification: string-detect,A Suspicious String was Detected,3
|
49
|
+
config classification: suspicious-filename-detect,A Suspicious Filename was Detected,2
|
50
|
+
config classification: suspicious-login,An Attempted Login Using a Suspicious Username was Detected,2
|
51
|
+
config classification: system-call-detect,A System Call was Detected,2
|
52
|
+
config classification: tcp-connection,A TCP Connection was Detected,4
|
53
|
+
config classification: trojan-activity,A Network Trojan was Detected, 1
|
54
|
+
config classification: unusual-client-port-connection,A Client was Using an Unusual Port,2
|
55
|
+
config classification: network-scan,Detection of a Network Scan,3
|
56
|
+
config classification: denial-of-service,Detection of a Denial of Service Attack,2
|
57
|
+
config classification: non-standard-protocol,Detection of a Non-Standard Protocol or Event,2
|
58
|
+
config classification: protocol-command-decode,Generic Protocol Command Decode,3
|
59
|
+
config classification: web-application-activity,Access to a Potentially Vulnerable Web Application,2
|
60
|
+
config classification: web-application-attack,Web Application Attack,1
|
61
|
+
config classification: misc-activity,Misc activity,3
|
62
|
+
config classification: misc-attack,Misc Attack,2
|
63
|
+
config classification: icmp-event,Generic ICMP event,3
|
64
|
+
config classification: inappropriate-content,Inappropriate Content was Detected,1
|
65
|
+
config classification: policy-violation,Potential Corporate Privacy Violation,1
|
66
|
+
config classification: default-login-attempt,Attempt to Login By a Default Username and Password,2
|
67
|
+
config classification: sdf,Sensitive Data was Transmitted Across the Network,2
|
data/example/example.rb
ADDED
@@ -0,0 +1,43 @@
|
|
1
|
+
$:.unshift File.join(File.dirname(__FILE__), "..", "lib")
|
2
|
+
require 'unified2'
|
3
|
+
require 'pp'
|
4
|
+
|
5
|
+
# Unified2 Configuration
|
6
|
+
Unified2.configuration do
|
7
|
+
# Sensor Configurations
|
8
|
+
sensor :id => 200, :name => 'Hello Sensor', :interface => 'en1'
|
9
|
+
|
10
|
+
# Load signatures, generators & classifications into memory
|
11
|
+
load :signatures, 'sid-msg.map'
|
12
|
+
load :generators, 'gen-msg.map'
|
13
|
+
load :classifications, 'classification.config'
|
14
|
+
end
|
15
|
+
|
16
|
+
# Unified2#watch will continuously monitor
|
17
|
+
# the unified output for modifications and
|
18
|
+
# process the data accordingly.
|
19
|
+
|
20
|
+
Unified2.watch('unified2', 1) do |event|
|
21
|
+
next if event.signature.blank?
|
22
|
+
|
23
|
+
puts event.signature.name
|
24
|
+
|
25
|
+
# puts "#{event.sensor.name} #{event.timestamp} || #{event.source_port} #{event.destination_port} | #{event.protocol}"
|
26
|
+
|
27
|
+
# #{event.source_port} #{event.destination_port}
|
28
|
+
# puts "#{event.id} | #{event.ip_destination} | #{event.ip_source} | #{event.signature.name}"
|
29
|
+
# {event.generator_id} || #{event.signature.id}
|
30
|
+
end
|
31
|
+
|
32
|
+
# Unified2#read will parse the supplied
|
33
|
+
# unified2 output and return records untill EOF.
|
34
|
+
|
35
|
+
# @signatures = []
|
36
|
+
# Unified2.watch('unified2', 101) do |event|
|
37
|
+
# next if event.signature.name.blank?
|
38
|
+
# next if @signatures.include?(event.signature.id)
|
39
|
+
#
|
40
|
+
# @signatures.push event.signature.id
|
41
|
+
#
|
42
|
+
# puts "#{event.id} | #{event.ip_destination} | #{event.ip_source} | #{event.signature.name}"
|
43
|
+
# end
|
data/example/gen-msg.map
ADDED
@@ -0,0 +1,391 @@
|
|
1
|
+
# $Id: gen-msg.map,v 1.10 2010/07/07 15:51:00 nhoughton Exp $
|
2
|
+
# GENERATORS -> msg map
|
3
|
+
# Format: generatorid || alertid || MSG
|
4
|
+
|
5
|
+
1 || 1 || snort general alert
|
6
|
+
2 || 1 || tag: Tagged Packet
|
7
|
+
3 || 1 || snort dynamic alert
|
8
|
+
100 || 1 || spp_portscan: Portscan Detected
|
9
|
+
100 || 2 || spp_portscan: Portscan Status
|
10
|
+
100 || 3 || spp_portscan: Portscan Ended
|
11
|
+
101 || 1 || spp_minfrag: minfrag alert
|
12
|
+
102 || 1 || http_decode: Unicode Attack
|
13
|
+
102 || 2 || http_decode: CGI NULL Byte Attack
|
14
|
+
102 || 3 || http_decode: large method attempted
|
15
|
+
102 || 4 || http_decode: missing uri
|
16
|
+
102 || 5 || http_decode: double encoding detected
|
17
|
+
102 || 6 || http_decode: illegal hex values detected
|
18
|
+
102 || 7 || http_decode: overlong character detected
|
19
|
+
103 || 1 || spp_defrag: Fragmentation Overflow Detected
|
20
|
+
103 || 2 || spp_defrag: Stale Fragments Discarded
|
21
|
+
104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded
|
22
|
+
104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted
|
23
|
+
105 || 1 || spp_bo: Back Orifice Traffic Detected
|
24
|
+
105 || 2 || spp_bo: Back Orifice Client Traffic Detected
|
25
|
+
105 || 3 || spp_bo: Back Orifice Server Traffic Detected
|
26
|
+
105 || 4 || spp_bo: Back Orifice Snort Buffer Attack
|
27
|
+
106 || 1 || spp_rpc_decode: Fragmented RPC Records
|
28
|
+
106 || 2 || spp_rpc_decode: Multiple Records in one packet
|
29
|
+
106 || 3 || spp_rpc_decode: Large RPC Record Fragment
|
30
|
+
106 || 4 || spp_rpc_decode: Incomplete RPC segment
|
31
|
+
106 || 5 || spp_rpc_decode: Zero-length RPC Fragment
|
32
|
+
110 || 1 || spp_unidecode: CGI NULL Attack
|
33
|
+
110 || 2 || spp_unidecode: Directory Traversal
|
34
|
+
110 || 3 || spp_unidecode: Unknown Mapping
|
35
|
+
110 || 4 || spp_unidecode: Invalid Mapping
|
36
|
+
111 || 1 || spp_stream4: Stealth Activity Detected
|
37
|
+
111 || 2 || spp_stream4: Evasive Reset Packet
|
38
|
+
111 || 3 || spp_stream4: Retransmission
|
39
|
+
111 || 4 || spp_stream4: Window Violation
|
40
|
+
111 || 5 || spp_stream4: Data on SYN Packet
|
41
|
+
111 || 6 || spp_stream4: Full XMAS Stealth Scan
|
42
|
+
111 || 7 || spp_stream4: SAPU Stealth Scan
|
43
|
+
111 || 8 || spp_stream4: FIN Stealth Scan
|
44
|
+
111 || 9 || spp_stream4: NULL Stealth Scan
|
45
|
+
111 || 10 || spp_stream4: NMAP XMAS Stealth Scan
|
46
|
+
111 || 11 || spp_stream4: VECNA Stealth Scan
|
47
|
+
111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection
|
48
|
+
111 || 13 || spp_stream4: SYN FIN Stealth Scan
|
49
|
+
111 || 14 || spp_stream4: TCP forward overlap detected
|
50
|
+
111 || 15 || spp_stream4: TTL Evasion attempt
|
51
|
+
111 || 16 || spp_stream4: Evasive retransmitted data attempt
|
52
|
+
111 || 17 || spp_stream4: Evasive retransmitted data with the data split attempt
|
53
|
+
111 || 18 || spp_stream4: Multiple acked
|
54
|
+
111 || 19 || spp_stream4: Shifting to Emergency Session Mode
|
55
|
+
111 || 20 || spp_stream4: Shifting to Suspend Mode
|
56
|
+
111 || 21 || spp_stream4: TCP Timestamp option has value of zero
|
57
|
+
111 || 22 || spp_stream4: Too many overlapping TCP packets
|
58
|
+
111 || 23 || spp_stream4: Packet in established TCP stream missing ACK
|
59
|
+
111 || 24 || spp_stream4: Evasive FIN Packet
|
60
|
+
111 || 25 || spp_stream4: SYN on established
|
61
|
+
112 || 1 || spp_arpspoof: Directed ARP Request
|
62
|
+
112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC
|
63
|
+
112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST
|
64
|
+
112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack
|
65
|
+
113 || 1 || spp_frag2: Oversized Frag
|
66
|
+
113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack
|
67
|
+
113 || 3 || spp_frag2: TTL evasion detected
|
68
|
+
113 || 4 || spp_frag2: overlap detected
|
69
|
+
113 || 5 || spp_frag2: Duplicate first fragments
|
70
|
+
113 || 6 || spp_frag2: memcap exceeded
|
71
|
+
113 || 7 || spp_frag2: Out of order fragments
|
72
|
+
113 || 8 || spp_frag2: IP Options on Fragmented Packet
|
73
|
+
113 || 9 || spp_frag2: Shifting to Emegency Session Mode
|
74
|
+
113 || 10 || spp_frag2: Shifting to Suspend Mode
|
75
|
+
114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected
|
76
|
+
114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected
|
77
|
+
114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected
|
78
|
+
114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected
|
79
|
+
115 || 1 || spp_asn1: Indefinite ASN.1 length encoding
|
80
|
+
115 || 2 || spp_asn1: Invalid ASN.1 length encoding
|
81
|
+
115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow
|
82
|
+
115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow
|
83
|
+
115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length
|
84
|
+
116 || 1 || snort_decoder: WARNING: Not IPv4 datagram!
|
85
|
+
116 || 2 || snort_decoder: WARNING: hlen < IP_HEADER_LEN!
|
86
|
+
116 || 3 || snort_decoder: WARNING: IP dgm len < IP Hdr len!
|
87
|
+
116 || 4 || snort_decoder: WARNING: Bad IPv4 Options
|
88
|
+
116 || 5 || snort_decoder: WARNING: Truncated IPv4 Options
|
89
|
+
116 || 6 || snort_decoder: WARNING: IP dgm len > captured len!
|
90
|
+
116 || 45 || snort_decoder: WARNING: TCP packet len is smaller than 20 bytes!
|
91
|
+
116 || 46 || snort_decoder: WARNING: TCP Data Offset is less than 5!
|
92
|
+
116 || 47 || snort_decoder: WARNING: TCP Data Offset is longer than payload!
|
93
|
+
116 || 54 || snort_decoder: WARNING: Tcp Options found with bad lengths
|
94
|
+
116 || 55 || snort_decoder: WARNING: Truncated Tcp Options
|
95
|
+
116 || 56 || snort_decoder: WARNING: T/TCP Detected
|
96
|
+
116 || 57 || snort_decoder: WARNING: Obsolete TCP options
|
97
|
+
116 || 58 || snort_decoder: WARNING: Experimental TCP options
|
98
|
+
116 || 59 || snort_decoder: WARNING: TCP Window Scale Option Scale Invalid (> 14)
|
99
|
+
116 || 95 || snort_decoder: WARNING: Truncated UDP Header!
|
100
|
+
116 || 96 || snort_decoder: WARNING: Invalid UDP header, length field < 8
|
101
|
+
116 || 97 || snort_decoder: WARNING: Short UDP packet, length field > payload length
|
102
|
+
116 || 98 || snort_decoder: WARNING: Long UDP packet, length field < payload length
|
103
|
+
116 || 105 || snort_decoder: WARNING: ICMP Header Truncated!
|
104
|
+
116 || 106 || snort_decoder: WARNING: ICMP Timestamp Header Truncated!
|
105
|
+
116 || 107 || snort_decoder: WARNING: ICMP Address Header Truncated!
|
106
|
+
116 || 108 || snort_decoder: WARNING: Unknown Datagram decoding problem!
|
107
|
+
116 || 109 || snort_decoder: WARNING: Truncated ARP Packet!
|
108
|
+
116 || 110 || snort_decoder: WARNING: Truncated EAP Header!
|
109
|
+
116 || 111 || snort_decoder: WARNING: EAP Key Truncated!
|
110
|
+
116 || 112 || snort_decoder: WARNING: EAP Header Truncated!
|
111
|
+
116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected!
|
112
|
+
116 || 130 || snort_decoder: WARNING: Bad VLAN Frame!
|
113
|
+
116 || 131 || snort_decoder: WARNING: Bad LLC header!
|
114
|
+
116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info!
|
115
|
+
116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header!
|
116
|
+
116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info!
|
117
|
+
116 || 140 || snort_decoder: WARNING: Bad Token Ring Header!
|
118
|
+
116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header!
|
119
|
+
116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header!
|
120
|
+
116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header!
|
121
|
+
116 || 150 || snort_decoder: WARNING: Bad Traffic Loopback IP!
|
122
|
+
116 || 151 || snort_decoder: WARNING: Bad Traffic Same Src/Dst IP!
|
123
|
+
116 || 160 || snort_decoder: WARNING: GRE header length > payload length
|
124
|
+
116 || 161 || snort_decoder: WARNING: Multiple encapsulations in packet
|
125
|
+
116 || 162 || snort_decoder: WARNING: Invalid GRE version
|
126
|
+
116 || 163 || snort_decoder: WARNING: Invalid GRE v.0 header
|
127
|
+
116 || 164 || snort_decoder: WARNING: Invalid GRE v.1 PPTP header
|
128
|
+
116 || 165 || snort_decoder: WARNING: GRE Trans header length > payload length
|
129
|
+
116 || 170 || snort_decoder: WARNING: Bad MPLS Frame
|
130
|
+
116 || 171 || snort_decoder: WARNING: MPLS Label 0 Appears in Nonbottom Header
|
131
|
+
116 || 172 || snort_decoder: WARNING: MPLS Label 1 Appears in Bottom Header
|
132
|
+
116 || 173 || snort_decoder: WARNING: MPLS Label 2 Appears in Nonbottom Header
|
133
|
+
116 || 174 || snort_decoder: WARNING: Bad use of label 3
|
134
|
+
116 || 175 || snort_decoder: WARNING: MPLS Label 4, 5,.. or 15 Appears in Header
|
135
|
+
116 || 176 || snort_decoder: WARNING: Too Many MPLS headers
|
136
|
+
116 || 250 || snort_decoder: WARNING: ICMP Original IP Header Truncated!
|
137
|
+
116 || 251 || snort_decoder: WARNING: ICMP Original IP Header Not IPv4!
|
138
|
+
116 || 252 || snort_decoder: WARNING: ICMP Original Datagram Length < Original IP Header Length!
|
139
|
+
116 || 253 || snort_decoder: WARNING: ICMP Original IP Payload < 64 bits!
|
140
|
+
116 || 254 || snort_decoder: WARNING: ICMP Original IP Payload > 576 bytes!
|
141
|
+
116 || 255 || snort_decoder: WARNING: ICMP Original IP Fragmented and Offset Not 0!
|
142
|
+
116 || 270 || snort_decoder: WARNING: IPV6 packet exceeded TTL limit
|
143
|
+
116 || 271 || snort_decoder: WARNING: IPv6 header claims to not be IPv6
|
144
|
+
116 || 272 || snort_decoder: WARNING: IPV6 truncated extension header
|
145
|
+
116 || 273 || snort_decoder: WARNING: IPV6 truncated header
|
146
|
+
116 || 274 || snort_decoder: WARNING: IPV6 dgm len < IPV6 Hdr len!
|
147
|
+
116 || 275 || snort_decoder: WARNING: IPV6 dgm len > captured len!
|
148
|
+
116 || 276 || snort_decoder: WARNING: IPv6 packet with destination address ::0
|
149
|
+
116 || 277 || snort_decoder: WARNING: IPv6 packet with multicast source address
|
150
|
+
116 || 278 || snort_decoder: WARNING: IPv6 packet with reserved multicast destination address
|
151
|
+
116 || 279 || snort_decoder: WARNING: IPv6 header includes an undefined option type
|
152
|
+
116 || 280 || snort_decoder: WARNING: IPv6 address includes an unassigned multicast scope value
|
153
|
+
116 || 281 || snort_decoder: WARNING: IPv6 header includes an invalid value for the "next header" field
|
154
|
+
116 || 282 || snort_decoder: WARNING: IPv6 header includes a routing extension header followed by a hop-by-hop header
|
155
|
+
116 || 283 || snort_decoder: WARNING: IPv6 header includes two routing extension headers
|
156
|
+
116 || 285 || snort_decoder: WARNING: ICMPv6 packet of type 2 (message too big) with MTU field < 1280
|
157
|
+
116 || 286 || snort_decoder: WARNING: ICMPv6 packet of type 1 (destination unreachable) with invalid code field
|
158
|
+
116 || 287 || snort_decoder: WARNING: ICMPv6 router solicitation packet with a code not equal to 0
|
159
|
+
116 || 288 || snort_decoder: WARNING: ICMPv6 router advertisement packet with a code not equal to 0
|
160
|
+
116 || 289 || snort_decoder: WARNING: ICMPv6 router solicitation packet with the reserved field not equal to 0
|
161
|
+
116 || 290 || snort_decoder: WARNING: ICMPv6 router advertisement packet with the reachable time field set > 1 hour
|
162
|
+
116 || 291 || snort_decoder: WARNING: IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux Kernel attack
|
163
|
+
116 || 292 || snort_decoder: WARNING: IPv6 header has destination options followed by a routing header
|
164
|
+
116 || 293 || snort_decoder: WARNING: Two or more IP (v4 and/or v6) encapsulation layers present
|
165
|
+
116 || 294 || snort_decoder: WARNING: truncated Encapsulated Security Payload (ESP) header
|
166
|
+
116 || 400 || snort_decoder: WARNING: XMAS Attack Detected!
|
167
|
+
116 || 401 || snort_decoder: WARNING: Nmap XMAS Attack Detected!
|
168
|
+
116 || 402 || snort_decoder: WARNING: DOS NAPTHA Vulnerability Detected!
|
169
|
+
116 || 403 || snort_decoder: WARNING: Bad Traffic SYN to multicast address
|
170
|
+
116 || 404 || snort_decoder: WARNING: IPV4 packet with zero TTL
|
171
|
+
116 || 405 || snort_decoder: WARNING: IPV4 packet with bad frag bits (Both MF and DF set)
|
172
|
+
116 || 406 || snort_decoder: WARNING: Invalid IPv6 UDP packet, checksum zero
|
173
|
+
116 || 407 || snort_decoder: WARNING: IPV4 packet frag offset + length exceed maximum
|
174
|
+
116 || 408 || snort_decoder: WARNING: IPV4 packet from 'current net' source address
|
175
|
+
116 || 409 || snort_decoder: WARNING: IPV4 packet to 'current net' dest address
|
176
|
+
116 || 410 || snort_decoder: WARNING: IPV4 packet from multicast source address
|
177
|
+
116 || 411 || snort_decoder: WARNING: IPV4 packet from reserved source address
|
178
|
+
116 || 412 || snort_decoder: WARNING: IPV4 packet to reserved dest address
|
179
|
+
116 || 413 || snort_decoder: WARNING: IPV4 packet from broadcast source address
|
180
|
+
116 || 414 || snort_decoder: WARNING: IPV4 packet to broadcast dest address
|
181
|
+
116 || 415 || snort_decoder: WARNING: ICMP4 packet to multicast dest address
|
182
|
+
116 || 416 || snort_decoder: WARNING: ICMP4 packet to broadcast dest address
|
183
|
+
116 || 417 || snort_decoder: WARNING: ICMP4 source quence
|
184
|
+
116 || 418 || snort_decoder: WARNING: ICMP4 type other
|
185
|
+
116 || 419 || snort_decoder: WARNING: TCP urgent pointer exceeds payload length or no payload
|
186
|
+
116 || 420 || snort_decoder: WARNING: TCP SYN with FIN
|
187
|
+
116 || 421 || snort_decoder: WARNING: TCP SYN with RST
|
188
|
+
116 || 422 || snort_decoder: WARNING: TCP PDU missing ack for established session
|
189
|
+
116 || 423 || snort_decoder: WARNING: TCP has no SYN, ACK, or RST
|
190
|
+
116 || 424 || snort_decoder: WARNING: truncated eth header
|
191
|
+
116 || 425 || snort_decoder: WARNING: truncated IP4 header
|
192
|
+
116 || 426 || snort_decoder: WARNING: truncated ICMP4 header
|
193
|
+
116 || 427 || snort_decoder: WARNING: truncated ICMP6 header
|
194
|
+
116 || 428 || snort_decoder: WARNING: IPV4 packet below TTL limit
|
195
|
+
116 || 429 || snort_decoder: WARNING: IPV6 packet has zero hop limit
|
196
|
+
116 || 430 || snort_decoder: WARNING: IPV4 packet both DF and offset set
|
197
|
+
116 || 431 || snort_decoder: WARNING: ICMP6 type not decoded
|
198
|
+
116 || 432 || snort_decoder: WARNING: ICMP6 packet to multicast address
|
199
|
+
116 || 433 || snort_decoder: WARNING: DDOS shaft synflood
|
200
|
+
116 || 434 || snort_decoder: WARNING: ICMP PING NMAP
|
201
|
+
116 || 435 || snort_decoder: WARNING: ICMP icmpenum v1.1.1
|
202
|
+
116 || 436 || snort_decoder: WARNING: ICMP redirect host
|
203
|
+
116 || 437 || snort_decoder: WARNING: ICMP redirect net
|
204
|
+
116 || 438 || snort_decoder: WARNING: ICMP traceroute ipopts
|
205
|
+
116 || 439 || snort_decoder: WARNING: ICMP Source Quench
|
206
|
+
116 || 440 || snort_decoder: WARNING: Broadscan Smurf Scanner
|
207
|
+
116 || 441 || snort_decoder: WARNING: ICMP Destination Unreachable Communication Administratively Prohibited
|
208
|
+
116 || 442 || snort_decoder: WARNING: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited
|
209
|
+
116 || 443 || snort_decoder: WARNING: ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited
|
210
|
+
116 || 444 || snort_decoder: WARNING: MISC IP option set
|
211
|
+
116 || 445 || snort_decoder: WARNING: MISC Large UDP Packet
|
212
|
+
116 || 446 || snort_decoder: WARNING: BAD-TRAFFIC TCP port 0 traffic
|
213
|
+
116 || 447 || snort_decoder: WARNING: BAD-TRAFFIC UDP port 0 traffic
|
214
|
+
116 || 448 || snort_decoder: WARNING: BAD-TRAFFIC IP reserved bit set
|
215
|
+
116 || 449 || snort_decoder: WARNING: BAD-TRAFFIC Unassigned/Reserved IP protocol
|
216
|
+
116 || 450 || snort_decoder: WARNING: BAD-TRAFFIC Bad IP protocol
|
217
|
+
116 || 451 || snort_decoder: WARNING: ICMP PATH MTU denial of service attempt
|
218
|
+
117 || 1 || spp_portscan2: Portscan detected!
|
219
|
+
118 || 1 || spp_conversation: Bad IP protocol!
|
220
|
+
119 || 1 || http_inspect: ASCII ENCODING
|
221
|
+
119 || 2 || http_inspect: DOUBLE DECODING ATTACK
|
222
|
+
119 || 3 || http_inspect: U ENCODING
|
223
|
+
119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING
|
224
|
+
119 || 5 || http_inspect: BASE36 ENCODING
|
225
|
+
119 || 6 || http_inspect: UTF-8 ENCODING
|
226
|
+
119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING
|
227
|
+
119 || 8 || http_inspect: MULTI_SLASH ENCODING
|
228
|
+
119 || 9 || http_inspect: IIS BACKSLASH EVASION
|
229
|
+
119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL
|
230
|
+
119 || 11 || http_inspect: DIRECTORY TRAVERSAL
|
231
|
+
119 || 12 || http_inspect: APACHE WHITESPACE (TAB)
|
232
|
+
119 || 13 || http_inspect: NON-RFC HTTP DELIMITER
|
233
|
+
119 || 14 || http_inspect: NON-RFC DEFINED CHAR
|
234
|
+
119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY
|
235
|
+
119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING
|
236
|
+
119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED
|
237
|
+
119 || 18 || http_inspect: WEBROOT DIRECTORY TRAVERSAL
|
238
|
+
119 || 19 || http_inspect: LONG HEADER
|
239
|
+
119 || 20 || http_inspect: MAX HEADERS
|
240
|
+
119 || 21 || http_inspect: MULTIPLE CONTENT LENGTH HEADER FIELDS
|
241
|
+
119 || 22 || http_inspect: CHUNK SIZE MISMATCH DETECTED
|
242
|
+
119 || 23 || http_inspect: INVALID IP IN TRUE-CLIENT-IP/XFF HEADER
|
243
|
+
120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT
|
244
|
+
120 || 2 || http_inspect: INVALID STATUS CODE IN HTTP RESPONSE
|
245
|
+
121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded
|
246
|
+
121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded
|
247
|
+
121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded
|
248
|
+
121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded
|
249
|
+
122 || 1 || portscan: TCP Portscan
|
250
|
+
122 || 2 || portscan: TCP Decoy Portscan
|
251
|
+
122 || 3 || portscan: TCP Portsweep
|
252
|
+
122 || 4 || portscan: TCP Distributed Portscan
|
253
|
+
122 || 5 || portscan: TCP Filtered Portscan
|
254
|
+
122 || 6 || portscan: TCP Filtered Decoy Portscan
|
255
|
+
122 || 7 || portscan: TCP Filtered Portsweep
|
256
|
+
122 || 8 || portscan: TCP Filtered Distributed Portscan
|
257
|
+
122 || 9 || portscan: IP Protocol Scan
|
258
|
+
122 || 10 || portscan: IP Decoy Protocol Scan
|
259
|
+
122 || 11 || portscan: IP Protocol Sweep
|
260
|
+
122 || 12 || portscan: IP Distributed Protocol Scan
|
261
|
+
122 || 13 || portscan: IP Filtered Protocol Scan
|
262
|
+
122 || 14 || portscan: IP Filtered Decoy Protocol Scan
|
263
|
+
122 || 15 || portscan: IP Filtered Protocol Sweep
|
264
|
+
122 || 16 || portscan: IP Filtered Distributed Protocol Scan
|
265
|
+
122 || 17 || portscan: UDP Portscan
|
266
|
+
122 || 18 || portscan: UDP Decoy Portscan
|
267
|
+
122 || 19 || portscan: UDP Portsweep
|
268
|
+
122 || 20 || portscan: UDP Distributed Portscan
|
269
|
+
122 || 21 || portscan: UDP Filtered Portscan
|
270
|
+
122 || 22 || portscan: UDP Filtered Decoy Portscan
|
271
|
+
122 || 23 || portscan: UDP Filtered Portsweep
|
272
|
+
122 || 24 || portscan: UDP Filtered Distributed Portscan
|
273
|
+
122 || 25 || portscan: ICMP Sweep
|
274
|
+
122 || 26 || portscan: ICMP Filtered Sweep
|
275
|
+
122 || 27 || portscan: Open Port
|
276
|
+
123 || 1 || frag3: IP Options on fragmented packet
|
277
|
+
123 || 2 || frag3: Teardrop attack
|
278
|
+
123 || 3 || frag3: Short fragment, possible DoS attempt
|
279
|
+
123 || 4 || frag3: Fragment packet ends after defragmented packet
|
280
|
+
123 || 5 || frag3: Zero-byte fragment
|
281
|
+
123 || 6 || frag3: Bad fragment size, packet size is negative
|
282
|
+
123 || 7 || frag3: Bad fragment size, packet size is greater than 65536
|
283
|
+
123 || 8 || frag3: Fragmentation overlap
|
284
|
+
123 || 9 || frag3: IPv6 BSD mbufs remote kernel buffer overflow
|
285
|
+
123 || 10 || frag3: Bogus fragmentation packet. Possible BSD attack
|
286
|
+
123 || 11 || frag3: TTL value less than configured minimum, not using for reassembly
|
287
|
+
123 || 12 || frag3: Number of overlapping fragments exceed configured limit
|
288
|
+
123 || 13 || frag3: Fragments smaller than configured min_fragment_length
|
289
|
+
124 || 1 || smtp: Attempted command buffer overflow
|
290
|
+
124 || 2 || smtp: Attempted data header buffer overflow
|
291
|
+
124 || 3 || smtp: Attempted response buffer overflow
|
292
|
+
124 || 4 || smtp: Attempted specific command buffer overflow
|
293
|
+
124 || 5 || smtp: Unknown command
|
294
|
+
124 || 6 || smtp: Illegal command
|
295
|
+
124 || 7 || smtp: Attempted header name buffer overflow
|
296
|
+
124 || 8 || smtp: Attempted X-Link2State command buffer overflow
|
297
|
+
125 || 1 || ftp_pp: Telnet command on FTP command channel
|
298
|
+
125 || 2 || ftp_pp: Invalid FTP command
|
299
|
+
125 || 3 || ftp_pp: FTP parameter length overflow
|
300
|
+
125 || 4 || ftp_pp: FTP malformed parameter
|
301
|
+
125 || 5 || ftp_pp: Possible string format attempt in FTP command/parameter
|
302
|
+
125 || 6 || ftp_pp: FTP response length overflow
|
303
|
+
125 || 7 || ftp_pp: FTP command channel encrypted
|
304
|
+
125 || 8 || ftp_pp: FTP bounce attack
|
305
|
+
125 || 9 || ftp_pp: Evasive Telnet command on FTP command channel
|
306
|
+
126 || 1 || telnet_pp: Telnet consecutive AYT overflow
|
307
|
+
126 || 2 || telnet_pp: Telnet data encrypted
|
308
|
+
126 || 3 || telnet_pp: Subnegotiation Begin without matching Subnegotiation End
|
309
|
+
128 || 1 || ssh: Gobbles exploit
|
310
|
+
128 || 2 || ssh: SSH1 CRC32 exploit
|
311
|
+
128 || 3 || ssh: Server version string overflow
|
312
|
+
128 || 4 || ssh: Protocol mismatch
|
313
|
+
128 || 5 || ssh: Bad message direction
|
314
|
+
128 || 6 || ssh: Payload size incorrect for the given payload
|
315
|
+
128 || 7 || ssh: Failed to detect SSH version string
|
316
|
+
129 || 1 || stream5: SYN on established session
|
317
|
+
129 || 2 || stream5: Data on SYN packet
|
318
|
+
129 || 3 || stream5: Data sent on stream not accepting data
|
319
|
+
129 || 4 || stream5: TCP Timestamp is outside of PAWS window
|
320
|
+
129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0
|
321
|
+
129 || 6 || stream5: Window size (after scaling) larger than policy allows
|
322
|
+
129 || 7 || stream5: Limit on number of overlapping TCP packets reached
|
323
|
+
129 || 8 || stream5: Data sent on stream after TCP Reset
|
324
|
+
129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address
|
325
|
+
129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address
|
326
|
+
129 || 11 || stream5: TCP Data with no TCP Flags set
|
327
|
+
129 || 12 || stream5: TCP Small Segment Threshold Exceeded
|
328
|
+
129 || 13 || stream5: TCP 4-way handshake detected
|
329
|
+
129 || 14 || stream5: TCP Timestamp is missing
|
330
|
+
130 || 1 || dcerpc: Maximum memory usage reached
|
331
|
+
131 || 1 || dns: Obsolete DNS RData Type
|
332
|
+
131 || 2 || dns: Experimental DNS RData Type
|
333
|
+
131 || 3 || dns: Client RData TXT Overflow
|
334
|
+
133 || 1 || dcerpc2: Memory cap exceeded
|
335
|
+
133 || 2 || dcerpc2: SMB - Bad NetBIOS Session Service session type
|
336
|
+
133 || 3 || dcerpc2: SMB - Bad SMB message type
|
337
|
+
133 || 4 || dcerpc2: SMB - Bad SMB Id (not "\xffSMB" for SMB1 or not "\xfeSMB" for SMB2)
|
338
|
+
133 || 5 || dcerpc2: SMB - Bad word count or structure size for command
|
339
|
+
133 || 6 || dcerpc2: SMB - Bad byte count for command
|
340
|
+
133 || 7 || dcerpc2: SMB - Bad format type for command
|
341
|
+
133 || 8 || dcerpc2: SMB - Bad AndX or data offset in command
|
342
|
+
133 || 9 || dcerpc2: SMB - Zero total data count in command
|
343
|
+
133 || 10 || dcerpc2: SMB - NetBIOS data length less than SMB header length
|
344
|
+
133 || 11 || dcerpc2: SMB - Remaining NetBIOS data length less than command length
|
345
|
+
133 || 12 || dcerpc2: SMB - Remaining NetBIOS data length less than command byte count
|
346
|
+
133 || 13 || dcerpc2: SMB - Remaining NetBIOS data length less than command data size
|
347
|
+
133 || 14 || dcerpc2: SMB - Remaining total data count less than this command data size
|
348
|
+
133 || 15 || dcerpc2: SMB - Total data sent greater than command total data expected
|
349
|
+
133 || 16 || dcerpc2: SMB - Byte count less than command data size
|
350
|
+
133 || 17 || dcerpc2: SMB - Invalid command data size for byte count
|
351
|
+
133 || 18 || dcerpc2: SMB - Excessive Tree Connect requests with pending Tree Connect responses
|
352
|
+
133 || 19 || dcerpc2: SMB - Excessive Read requests with pending Read responses
|
353
|
+
133 || 20 || dcerpc2: SMB - Excessive command chaining
|
354
|
+
133 || 21 || dcerpc2: SMB - Multiple chained login requests
|
355
|
+
133 || 22 || dcerpc2: SMB - Multiple chained tree connect requests
|
356
|
+
133 || 23 || dcerpc2: SMB - Chained/Compounded login followed by logoff
|
357
|
+
133 || 24 || dcerpc2: SMB - Chained/Compounded tree connect followed by tree disconnect
|
358
|
+
133 || 25 || dcerpc2: SMB - Chained/Compounded open pipe followed by close pipe
|
359
|
+
133 || 26 || dcerpc2: SMB - Invalid share access
|
360
|
+
133 || 27 || dcerpc2: Connection-oriented DCE/RPC - Invalid major version
|
361
|
+
133 || 28 || dcerpc2: Connection-oriented DCE/RPC - Invalid minor version
|
362
|
+
133 || 29 || dcerpc2: Connection-oriented DCE/RPC - Invalid pdu type
|
363
|
+
133 || 30 || dcerpc2: Connection-oriented DCE/RPC - Fragment length less than header size
|
364
|
+
133 || 31 || dcerpc2: Connection-oriented DCE/RPC - Remaining fragment length less than size needed
|
365
|
+
133 || 32 || dcerpc2: Connection-oriented DCE/RPC - No context items specified
|
366
|
+
133 || 33 || dcerpc2: Connection-oriented DCE/RPC - No transfer syntaxes specified
|
367
|
+
133 || 34 || dcerpc2: Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client
|
368
|
+
133 || 35 || dcerpc2: Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size
|
369
|
+
133 || 36 || dcerpc2: Connection-oriented DCE/RPC - Alter Context byte order different from Bind
|
370
|
+
133 || 37 || dcerpc2: Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request
|
371
|
+
133 || 38 || dcerpc2: Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request
|
372
|
+
133 || 39 || dcerpc2: Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request
|
373
|
+
133 || 40 || dcerpc2: Connectionless DCE/RPC - Invalid major version
|
374
|
+
133 || 41 || dcerpc2: Connectionless DCE/RPC - Invalid pdu type
|
375
|
+
133 || 42 || dcerpc2: Connectionless DCE/RPC - Data length less than header size
|
376
|
+
133 || 43 || dcerpc2: Connectionless DCE/RPC - Bad sequence number
|
377
|
+
133 || 44 || dcerpc2: SMB - Invalid SMB version 1 seen
|
378
|
+
133 || 45 || dcerpc2: SMB - Invalid SMB version 2 seen
|
379
|
+
133 || 46 || dcerpc2: SMB - Invalid user, tree connect, file binding
|
380
|
+
133 || 47 || dcerpc2: SMB - Excessive command compounding
|
381
|
+
134 || 1 || ppm: rule tree disabled
|
382
|
+
134 || 2 || ppm: rule tree enabled
|
383
|
+
135 || 1 || internal: syn received
|
384
|
+
135 || 2 || internal: session established
|
385
|
+
135 || 3 || internal: session cleared
|
386
|
+
138 || 2 || sensitive_data: sensitive data - Credit card numbers
|
387
|
+
138 || 3 || sensitive_data: sensitive data - U.S. social security numbers with dashes
|
388
|
+
138 || 4 || sensitive_data: sensitive data - U.S. social security numbers without dashes
|
389
|
+
138 || 5 || sensitive_data: sensitive data - eMail addresses
|
390
|
+
138 || 6 || sensitive_data: sensitive data - U.S. phone numbers
|
391
|
+
139 || 1 || sensitive_data: sensitive data global threshold exceeded
|