/etc/snort/rules/community-web-attacks.rules is in snort-rules-default 2.9.7.0-5.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 | # Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# These rules are licensed under the GNU General Public License.
# Please see the file LICENSE in this directory for more details.
# $Id: community-web-attacks.rules,v 1.6 2005/12/13 14:24:48 akirk Exp $
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS Hydra Activity Detected"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"Hydra"; nocase; distance:0; pcre:"/^User-Agent\s*\x3A\s*Mozilla\x2f4\.0 (Hydra)/smi"; nocase; reference:url,www.thc.org/releases.php; classtype:misc-attack; sid:100000168; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS Amap fingerprint attempt"; flow:to_server,established; content:"|80 80 01 03 01 00 57 00 00 00 20 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 66 00 00 07 00 00 05 00 00 04 05 00 80 03 00 80 01 00 80 08 00 80 00 00 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00 60 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02 00 80 63 b9 b9 19 c0 2b ae 90 74 4c 73 eb 8b cf d8 55 ea d0 69 82 1b ef 23 c3 39 9b 8e b2 49 3c 5a 79|"; depth:130; classtype:web-application-activity; reference:url,www.thc.org/releases.php; sid:100000169; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Host Parameter"; flow:to_server,established; content:"Host"; nocase; pcre:"/^Host[^\r\n]{100,}/smi"; reference:bugtraq,15081; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19926; classtype:attempted-admin; sid:100000170; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Accept Parameter"; flow:to_server,established; content:"Accept"; nocase; pcre:"/^Accept[^\r\n]{200,}/smi"; reference:bugtraq,15081; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19926; classtype:attempted-admin; sid:100000171; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS SAP WAS syscmd access"; flow:to_server,established; uricontent:"/sap/bc/BSp/sap/menu/frameset.htm"; nocase; uricontent:"sap-syscmd"; nocase; reference:url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf; classtype:web-application-activity; sid:100000183; rev:1;)
|