#
# $Id: bleeding.rules $
# Bleeding Edge Threats rules. 
#
# SID's are 2000000+ to avoid conflicts
#
# More information available at www.bleedingthreats.net
#
# Please submit any custom rules or ideas to bleeding@bleedingthreats.net or the bleeding-sigs mailing list
#
#*************************************************************
#  Copyright (c) 2003-2007, Bleeding Edge Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
#By Scott Melnick
#You should never get a Private DNS address from a Remote DNS Server
#Disable or modify this rule if your DNS server is not on your HOME_NET and is issuing Private IP's
#disabling, scheduled for deletion
#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 192.168.x.x/16 (local IP from remote DNS Server)"; content: "|c0 0c 00 01 00 01|"; content: "|00 04 c0 a8|"; within:4; distance:4; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006913; rev:4;)
#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 10.x.x.x /8 (local IP from remote DNS Server)"; content: "|c0 0c 00 01 00 01|"; content: "|00 04 0a|"; within:3; distance:4; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006914; rev:4;)
#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 172.16.x.x/12 (local IP from remote DNS Server)"; content: "|c0 0c 00 01 00 01|"; content: "|00 04 ac|"; within:3; distance:4; pcre:"/\xac+[\x10|\x11|\x12|\x13|\x14|\x15|\x16|\x17|\x18|\x19|\x1a|\x1b|\x1c|\x1d|\x1e|\x1f]/"; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006915; rev:3;)
#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 127.0.01 address (local IP from remote DNS Server)"; content: "|c0 0c 00 01 00 01|"; content: "|00 04 7f 00 00 01|"; within:6; distance:4; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006916; rev:3;)
#alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 192.168.x.x/16 (local IP from remote DNS Server)"; flow:established,from_server; content: "|c0 0c 00 01 00 01|"; content: "|00 04 c0 a8|"; within:4; distance:4; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006917; rev:5;)
#alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 10.x.x.x /8 (local IP from remote DNS Server)"; flow:established,from_server; content: "|c0 0c 00 01 00 01|"; content: "|00 04 0a|"; within:3; distance:4; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006918; rev:5;)
#alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 172.16.x.x/12 (local IP from remote DNS Server)"; flow:established,from_server; content: "|c0 0c 00 01 00 01|"; content: "|00 04 ac|"; within:3; distance:4;  pcre:"/\xac+[\x10|\x11|\x12|\x13|\x14|\x15|\x16|\x17|\x18|\x19|\x1a|\x1b|\x1c|\x1d|\x1e|\x1f]/";  reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006919; rev:4;)
#alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS DNS-Rebinding Attack 127.0.0.1 address (local IP from remote DNS Server)"; flow:established,from_server; content: "|c0 0c 00 01 00 01|"; content: "|00 04 7f 00 00 01|"; within:6; distance:4; reference:url,crypto.stanford.edu/dns/; classtype:misc-attack; sid:2006920; rev:4;)

#By Don Jackson of SecureWorks
# Crafted for the lowest common denominator; should work in most 1.x and later engines, PCRE used for C&C traffic.
# Mostly for spotting it's use on your network.  Only one DDoS rule. Be careful of the number/rate of alerts; these do not use thresholding.
# DNS left in hex to avoid advertising the domains to the bad guys via google

#these first few are for specific domains, to be removed in the not too distant future
alert tcp $HOME_NET :1024 -> any 53 (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (1)"; flow:established,to_server; content:"|08616c2d6a696e616e036e65740000010001|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007673; rev:1;)
alert tcp $HOME_NET :1024 -> any 53 (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (2)"; flow:established,to_server; content:"|0861312d6a696e616e036e65740000010001|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007674; rev:1;)
alert tcp $HOME_NET :1024 -> any 53 (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (3)"; flow:established,to_server; content:"|0661726464726104686f737402736b0000010001|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007675; rev:1;)
alert tcp $HOME_NET :1024 -> any 53 (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (4)"; flow:established,to_server; content:"|03777777056a6f2d7566036e65740000010001|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007676; rev:1;)
alert tcp $HOME_NET :1024 -> any 53 (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity TCP (5)"; flow:established,to_server; content:"|037777770c6a6f66706d7579747276636603636f6d0000010001|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007677; rev:1;)
alert udp $HOME_NET :1024 -> any 53 (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (1)"; content:"|08616c2d6a696e616e036e65740000010001|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007678; rev:1;)
alert udp $HOME_NET :1024 -> any 53 (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (2)"; content:"|0861312d6a696e616e036e65740000010001|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007679; rev:1;)
alert udp $HOME_NET :1024 -> any 53 (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (3)"; content:"|0661726464726104686f737402736b0000010001|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007680; rev:1;)
alert udp $HOME_NET :1024 -> any 53 (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (4)"; content:"|03777777056a6f2d7566036e65740000010001|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007681; rev:1;)
alert udp $HOME_NET :1024 -> any 53 (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DNS Activity UDP (5)"; content:"|037777770c6a6f66706d7579747276636603636f6d0000010001|"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007682; rev:1;)

#these are more permanent, C&C related
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 1"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tlog.php?logn="; pcre:"/GET /tlog\.php?logn=[^\s]+&pss=[^\s]+\sHTTP/1\.[0|1]\x0D\x0A/"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007683; rev:1;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 2"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/ntarg.php?"; pcre:"/GET /ntarg\.php?[^\s]*(notdoing=|howme=|uname=)[^\s]*\sHTTP/1\.[0|1]\x0D\x0A/"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007684; rev:1;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 HTTP Activity 3"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tnewu.php?nlogin="; pcre:"/GET /tnewu.php?nlogin=[^\s]+&npss=[^\s]+&invitedby=[^\s]+\sHTTP/1\.[0|1]\x0D\x0A/"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007685; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DDoS HTTP Activity OUTBOUND"; flow:established,to_server; content:"GET "; offset:0; depth:4; content:"|0d 0a|User-Agent\: Attacker|0d 0a|"; offset:14; classtype:denial-of-service; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007686; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT_EVENTS E-Jihad 3.0 DDoS HTTP Activity INBOUND"; flow:established,to_server; content:"GET "; offset:0; depth:4; content:"|0d 0a|User-Agent\: Attacker|0d 0a|"; offset:14; classtype:denial-of-service; reference:url,doc.bleedingthreats.net/bin/view/Main/EJihadHackTool; sid:2007687; rev:2;)

#by Scott Melnick
#threat passed, too high load to keep for long term. To be removed soon
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT_EVENTS FireFox Remote Command EXE Mailto Link Detected"; flow: from_server,established; content:"mailto\:%"; nocase; content: "/../../"; within:30; nocase; pcre:"/(\.exe|\.bat|\.com)/i"; reference:url,xs-sniper.com/blog/remote-command-exec-firefox-2005/; classtype:web-application-attack; sid:2006436; rev:1;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT_EVENTS FireFox Remote Command EXE News Link Detected"; flow: from_server,established; content:"news\:%"; nocase; content: "/../../"; within:30; nocase; pcre:"/(\.exe|\.bat|\.com)/i"; reference:url,xs-sniper.com/blog/remote-command-exec-firefox-2005/; classtype:web-application-attack; sid:2006437; rev:1;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT_EVENTS FireFox Remote Command EXE Nntp Link Detected"; flow: from_server,established; content:"nntp\:%"; nocase; content: "/../../"; within:30; nocase; pcre:"/(\.exe|\.bat|\.com)/i"; reference:url,xs-sniper.com/blog/remote-command-exec-firefox-2005/; classtype:web-application-attack; sid:2006438; rev:1;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT_EVENTS FireFox Remote Command EXE Snews Link Detected"; flow: from_server,established; content:"snews\:%"; nocase; content: "/../../"; within:30; nocase; pcre:"/(\.exe|\.bat|\.com)/i"; reference:url,xs-sniper.com/blog/remote-command-exec-firefox-2005/; classtype:web-application-attack; sid:2006439; rev:1;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT_EVENTS FireFox Remote Command EXE Telnet Link Detected"; flow: from_server,established; content:"telnet\:%"; nocase; content: "/../../"; within:30; nocase; pcre:"/(\.exe|\.bat|\.com)/i"; reference:url,xs-sniper.com/blog/remote-command-exec-firefox-2005/; classtype:web-application-attack; sid:2006440; rev:1;)

#simple sig, but should work for the time being
#by Matt Jonkman
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT_EVENTS MS IIS Auth Bypass Attempt"; flow:established,to_server; uricontent:"Webhitsfile="; uricontent:"CiRestriction="; uricontent:"CiHiliteType=full"; classtype:attempted-admin; reference:url,support.microsoft.com/kb/328832; sid:2004115; rev:1;)


#by Matt Jonkman, from ISC post, idea from Russ McRee
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Likely ANI Exploit Include from Webpage"; flow:established,from_server; content:"<DIV"; nocase; content:"style"; nocase; within:10; content:"CURSOR\:"; nocase; within:12; pcre:"/<DIV\s+style=\"CURSOR\:\s*url\(\s*http\:\/\/[a-zA-Z0-9\.\/]+\s*\)\s*\">\s*<\s*\/\s*DIV\s*>/ism"; classtype:misc-attack; reference:url,isc.sans.org/diary.html?storyid=2648; sid:2003596; rev:3;)

#by Matt Jonkman
#Temporary, till the patch is widespread
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT_EVENTS Vulnerable MS FlashPix ActiveX Control in Use"; flow:established,from_server;  content:"CLSID"; nocase; content:"{201EA564-A6F6-11D1-811D-00C04FB6BD36}"; distance:0; nocase; classtype:web-application-activity; reference:url,secunia.com/advisories/26426/; sid:2007342; rev:2;)

#needs a better name
#info from Bojan at ISC and Russell Fulton
# sig by Russell and Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT_EVENTS Mac Trojan HTTP Checkin (accept-language violation)"; flow:established,to_server; content:"GET "; depth:4; content:" HTTP/1.1|0d 0a|Accept-Language\: "; pcre:"/Accept-Language\: [a-zA-Z0-9]{20}/"; classtype:trojan-activity; sid:2007650; rev:1;)

#by Adam Pointon at sentinelsecurity.com.au
alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE DNS Possible MITM lookup for WPAD.com"; content:"|04|wpad|03|com|02|"; nocase; reference:url,support.microsoft.com/kb/247333; classtype:attempted-user; sid:2007707; rev:1;)
alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE DNS Possible MITM lookup for WPAD.co"; content:"|04|wpad|02|co|02|"; nocase; reference:url,support.microsoft.com/kb/247333; classtype:attempted-user; sid:2007708; rev:1;)
alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE DNS Possible MITM lookup for WPAD.net"; content:"|04|wpad|03|net|02|"; nocase; reference:url,support.microsoft.com/kb/247333; classtype:attempted-user; sid:2007709; rev:1;)
alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE DNS Possible MITM lookup for WPAD.org"; content:"|04|wpad|03|org|02|"; nocase; reference:url,support.microsoft.com/kb/247333; classtype:attempted-user; sid:2007710; rev:1;) 

#by axnjxn
#based on referenced article by Pedro Bueno
#Initial experiments on writing good sigs. These are dependant on the exact variant, but we may learn something
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT EVENTS Possible XML Controlled Trojan (UrlMonitor.100.z.img)"; flow:established,to_server; content:"<dll"; nocase; content:"url="; distance:0; nocase; content:"UrlMonitor.100.z.img"; nocase; distance:0; classtype:trojan-activity; reference:url,www.avertlabs.com/research/blog/index.php/2007/06/12/xml-controlled-trojans/; sid:2005313; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT EVENTS Possible XML Controlled Trojan (core.101.z.img)"; flow:established,to_server; content:"<dll"; nocase; content:"url="; distance:0; nocase; content:"core.101.z.img"; nocase; distance:0; classtype:trojan-activity; reference:url,www.avertlabs.com/research/blog/index.php/2007/06/12/xml-controlled-trojans/; sid:2005314; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT EVENTS Possible XML Controlled Trojan (Notifier.104.z.img)"; flow:established,to_server; content:"<dll"; nocase; content:"url="; distance:0; nocase; content:"Notifier.104.z.img"; nocase; distance:0; classtype:trojan-activity; reference:url,www.avertlabs.com/research/blog/index.php/2007/06/12/xml-controlled-trojans/; sid:2005315; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT EVENTS Possible XML Controlled Trojan (bootup.exe.xml)"; flow:established,to_server; content:"<dll"; nocase; content:"url="; distance:0; nocase; content:"bootup.exe.xml"; nocase; distance:0; classtype:trojan-activity; reference:url,www.avertlabs.com/research/blog/index.php/2007/06/12/xml-controlled-trojans/; sid:2005316; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT EVENTS Possible XML Controlled Trojan (UrlMonitor.xml)"; flow:established,to_server; content:"<dll"; nocase; content:"url="; distance:0; nocase; content:"UrlMonitor.xml"; nocase; distance:0; classtype:trojan-activity; reference:url,www.avertlabs.com/research/blog/index.php/2007/06/12/xml-controlled-trojans/; sid:2005317; rev:1;)

#by axnjxn
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Yahoo Messenger CLSID - Possible Attack"; flow:from_server,established; content:"CLSID"; nocase; content:"DCE2F8B1-A520-11D4-8FD0-00D0B7730277"; nocase; distance:0; within:50; classtype:attempted-admin; reference:url,www.kb.cert.org/vuls/id/949817; sid:2004599; rev:1;)

#Yahoo Messenger YVerInfo.dll ActiveX Multiple Remote Buffer Overflow Vulnerabilities
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Yahoo Messenger Vulnerable YVerInfo.dll CLSID in use - Possible Attack"; flow:from_server,established; content:"D5184A39-CBDF-4A4F-AC1A-7A45A852C883"; nocase; classtype:web-application-activity; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=591; reference:url,messenger.yahoo.com/security_update.php?id=082907; sid:2007586; rev:1;)