# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved## This file may contain proprietary rules that were created, tested and# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as# rules that were created by Sourcefire and other third parties and# distributed under the GNU General Public License (the "GPL Rules").  The# VRT Certified Rules contained in this file are the property of# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.# The GPL Rules created by Sourcefire, Inc. are the property of# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights# Reserved.  All other GPL Rules are owned and copyrighted by their# respective owners (please see www.snort.org/contributors for a list of# owners and their respective copyrights).  In order to determine what# rules are VRT Certified Rules or GPL Rules, please refer to the VRT# Certified Rules License Agreement.### $Id: bad-traffic.rules,v 1.39.6.4 2008/04/02 23:15:15 vrtbuild Exp $#------------------# BAD TRAFFIC RULES#------------------# These signatures are representitive of traffic that should never be seen on# any network.  None of these signatures include datagram content checking# and are extremely quick signatures#alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;)alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; flow:to_server; reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:525; rev:10;)# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; flow:stateless; dsize:>6; flags:S,12; metadata:policy security-ips drop; reference:url,www.cert.org/incident_notes/IN-99-07.html; classtype:misc-activity; sid:526; rev:12;)# alert ip any any <> 127.0.0.0/8 any (msg:"BAD-TRAFFIC loopback traffic"; metadata:policy security-ips drop; reference:url,www.sans.org/reading_room/whitepapers/firewalls/1059.php; classtype:bad-unknown; sid:528; rev:8;)# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC ip reserved bit set"; fragbits:R; metadata:policy security-ips drop; classtype:misc-activity; sid:523; rev:7;)# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; metadata:policy security-ips drop; reference:url,support.microsoft.com/kb/q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:11;)# linux happens.  Blah# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC bad frag bits"; fragbits:MD; metadata:policy security-ips drop; classtype:misc-activity; sid:1322; rev:8;)# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC Unassigned/Reserved IP protocol"; ip_proto:>134; metadata:policy security-ips drop; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:1627; rev:5;)# alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD-TRAFFIC syn to multicast address"; flow:stateless; flags:S+; metadata:policy security-ips drop; classtype:bad-unknown; sid:1431; rev:11;)alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 53 SWIPE"; ip_proto:53; metadata:policy security-ips drop; reference:bugtraq,8211; reference:cve,2003-0567; reference:nessus,11791; classtype:non-standard-protocol; sid:2186; rev:5;)alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 55 IP Mobility"; ip_proto:55; metadata:policy security-ips drop; reference:bugtraq,8211; reference:cve,2003-0567; reference:nessus,11791; classtype:non-standard-protocol; sid:2187; rev:5;)alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 77 Sun ND"; ip_proto:77; metadata:policy security-ips drop; reference:bugtraq,8211; reference:cve,2003-0567; reference:nessus,11791; classtype:non-standard-protocol; sid:2188; rev:5;)alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103; metadata:policy security-ips drop; reference:bugtraq,8211; reference:cve,2003-0567; reference:nessus,11791; classtype:non-standard-protocol; sid:2189; rev:5;)