# $Id: misc-lib,v 1.4 2000/02/07 23:55:44 roesch Exp $ 
# "other" stuff goes in here

# Happy 99 Virus checking from Scott McIntyre
alert tcp any any -> $HOME_NET 25 (msg:"Happy 99 Virus"; content:"X-Spanska\: Yes"; flags: PA;)

# SNMP attempts from Ron Gula
alert udp any any -> $HOME_NET 161 (msg:"SNMP NT User List"; content:"|2b06 0104 014d 0102 19|";)

# netbios probes from Ron Gula
alert udp any any -> $HOME_NET 137 (msg:"SMB Name Wildcard"; content:"CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|0000|";)
alert tcp any any -> $HOME_NET 139 (msg:"Samba client access"; content:"|00|Unix|00|Samba";)
alert tcp any any -> $HOME_NET 139 (msg:"SMB CD..."; content:"\...|00 00 00|";)
alert tcp any any -> $HOME_NET 139 (msg:"SMB CD.."; content:"\..|2f 00 00 00|";)
alert tcp any any -> $HOME_NET 139 (msg:"SMB C$ access"; content:"\C$|00 41 3a 00|";)
alert tcp any any -> $HOME_NET 139 (msg:"SMB D$ access"; content:"\D$|00 41 3a 00|";)
alert tcp any any -> $HOME_NET 139 (msg:"SMB ADMIN$ access"; content:"\ADMIN$|00 41 3a 00|";)

# alert on stuff going where it probably shouldn't be
# note that the port range specification is inclusive, so we're keying on ports 0-1023
alert tcp any 53 -> $HOME_NET :1023 (msg:"Source Port traffic";)
alert udp any 53 -> $HOME_NET 0:52 (msg:"Source Port traffic";)
alert udp any 53 -> $HOME_NET 54:1023 (msg:"Source Port traffic";)
alert tcp any 20 -> $HOME_NET :1023 (msg:"Source Port traffic";)

alert tcp any any -> $HOME_NET 32771 (msg: "Attempted Sun RPC high port access";)
alert udp any any -> $HOME_NET 32771 (msg: "Attempted Sun RPC high port access";)
alert udp any any -> $HOME_NET 161 (msg: "SNMP public access"; content:"public";)

# DNS version query rule from Tom Vandepoel <Tom.Vandepoel@ubizen.com>
alert udp !$HOME_NET any -> $HOME_NET 53 (msg:"MISC-DNS-version-query"; content:"version|04|bind|0000 1000 03";)
