[Emerging-Sigs] SIGS

Kevin Ross kevross33 at googlemail.com
Tue Oct 5 16:22:22 EDT 2010


alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET DOS Oracle MySQL
TEMPORARY InnoDB Tables Denial Of Service Flowbit Set";
flow:established,to_server; content:"SET"; nocase;
content:"storage_engine="; nocase; distance:0;
pcre:"/SET.+storage_engine=/i"; flowbits:set,ET.mysql.innodb;
flowbits:noalert; classtype:not-suspicious; sid:13400002; rev:1;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET DOS Possible
Oracle MySQL TEMPORARY InnoDB Tables Denial Of Service Attempt";
flowbits:isset,ET.mysql.innodb; flow:established,to_server;
content:"CREATE"; nocase; content:"TEMPORARY"; nocase; distance:0;
content:"TABLE"; nocase; distance:0; pcre:"/CREATE.+TEMPORARY.+TABLE/i";
classtype:attempted-dos; reference:url,bugs.mysql.com/bug.php?id=54044;
reference:bid,42598; reference:cve,2010-3680; sid:13400003; rev:1;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET DOS Possible
Oracle MySQL WITH ROLLUP Denial Of Service"; flow:established,to_server;
content:"SELECT"; nocase; content:"WITH"; nocase; distance:0;
content:"ROLLUP"; distance:0; nocase;
pcre:"/SELECT.+(CASE.+WHEN.+END|IN).+WITH.+ROLLUP/i";
classtype:attempted-dos; reference:url,bugs.mysql.com/bug.php?id=54477;
reference:bid,42596; reference:cve,2010-3678; sid:13400004; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code
Execution Attempt"; flow:established,to_client; content:"clsid"; nocase;
content:"15DBC3F9-9F0A-472E-8061-043D9CEC52F0"; nocase; distance:0;
content:"extSetOwner"; nocase;
pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15DBC3F9-9F0A-472E-8061-043D9CEC52F0/si";
classtype:attempted-user; reference:url,
www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/;
sid:13400005; rev:1;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET DOS Possible
Oracle MySQL HANDLER Interface Denial Of Service Attempt";
flow:established,to_server; content:"HANDLER"; nocase; content:"READ";
nocase; distance:0; content:"NEXT"; nocase; distance:0;
pcre:"/HANDLER.+READ.+NEXT/i"; classtype:attempted-dos; reference:url,
bugs.mysql.com/bug.php?id=54007; reference:bid,42633;
reference:cve,2010-3681; sid:13400006; rev:1;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET DOS Possible
Oracle MySQL DDL Statements Denial Of Service Attempt";
flow:established,to_server; content:"CREATE"; nocase; content:"TEMPORARY";
nocase; distance:0; content:"TABLE"; nocase; distance:0; content:"ENGINE";
nocase; distance:0; content:"="; within:2;
pcre:"/CREATE.+TEMPORARY.+TABLE.+ENGINE/i"; classtype:attempted-dos;
reference:url,bugs.mysql.com/bug.php?id=55039; reference:bid,42643;
reference:cve,2010-3676; sid:13400007; rev:1;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT Oracle
MySQL Privilege Escalation Attempt"; flow:established,to_server;
content:"SET"; nocase; content:"mysql.user.Super_priv='Y'"; nocase;
distance:0; classtype:attempted-admin; reference:bid,43677; sid:13400008;
rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101005/d5e6ecd1/attachment.html


More information about the Emerging-sigs mailing list