?? netbios.rules
字號:
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:532; rev:12;)alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2473; rev:7;)alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2474; rev:7;)alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2475; rev:7;)alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2174; rev:7;)alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2175; rev:8;)# where did these come from? I don't know. lets disable them for real for now# and deal with it later...### alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C|winreg|00|"; offset:85; nocase; classtype:attempted-recon; rev:2;)### alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00|"; offset:85; nocase; classtype:attempted-recon; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2476; rev:6;)alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2477; rev:6;)alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2478; rev:7;)alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2479; rev:7;)alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2480; rev:7;)alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2481; rev:7;)alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2482; rev:7;)alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2483; rev:7;)alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; flow:to_server,established; content:"|00|.|00|E|00|M|00|L"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1293; rev:10;)alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; flow:to_server,established; content:"|00|.|00|N|00|W|00|S"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1294; rev:10;)alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda RICHED20.DLL"; flow:to_server,established; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1295; rev:9;)alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS DOS RFPoison"; flow:to_server,established; content:"|5C 00 5C 00|*|00|S|00|M|00|B|00|S|00|E|00|R|00|V|00|E|00|R|00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|"; reference:arachnids,454; classtype:attempted-dos; sid:529; rev:7;)alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; reference:arachnids,204; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:530; rev:10;)alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:1239; rev:9;)alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; reference:arachnids,338; classtype:attempted-recon; sid:534; rev:6;)alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; reference:arachnids,337; classtype:attempted-recon; sid:535; rev:6;)?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -