[Emerging-Sigs] SIGS

evilghost@packetmail.net evilghost at packetmail.net
Tue Oct 5 17:09:31 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matt and others, please do not commit these, this do not detect on the
underlying vulnerability.  These will false like crazy.

Many of the signatures are not correctly coded to detect on the
vulnerability; bounce the sigs against the bug reports.  As a DBA these
signatures scare me.

I don't have time to pick these apart one at at time but I recommend
this do not be committed into the ruleset.

- -evilghost

On 10/05/2010 03:22 PM, Kevin Ross wrote:
> alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET DOS Oracle
> MySQL TEMPORARY InnoDB Tables Denial Of Service Flowbit Set";
> flow:established,to_server; content:"SET"; nocase;
> content:"storage_engine="; nocase; distance:0;
> pcre:"/SET.+storage_engine=/i"; flowbits:set,ET.mysql.innodb;
> flowbits:noalert; classtype:not-suspicious; sid:13400002; rev:1;)
>  
> alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET DOS Possible
> Oracle MySQL TEMPORARY InnoDB Tables Denial Of Service Attempt";
> flowbits:isset,ET.mysql.innodb; flow:established,to_server;
> content:"CREATE"; nocase; content:"TEMPORARY"; nocase; distance:0;
> content:"TABLE"; nocase; distance:0; pcre:"/CREATE.+TEMPORARY.+TABLE/i";
> classtype:attempted-dos; reference:url,bugs.mysql.com/bug.php?id=54044
> <http://bugs.mysql.com/bug.php?id=54044>; reference:bid,42598;
> reference:cve,2010-3680; sid:13400003; rev:1;)
>  
> alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET DOS Possible
> Oracle MySQL WITH ROLLUP Denial Of Service"; flow:established,to_server;
> content:"SELECT"; nocase; content:"WITH"; nocase; distance:0;
> content:"ROLLUP"; distance:0; nocase;
> pcre:"/SELECT.+(CASE.+WHEN.+END|IN).+WITH.+ROLLUP/i";
> classtype:attempted-dos; reference:url,bugs.mysql.com/bug.php?id=54477
> <http://bugs.mysql.com/bug.php?id=54477>; reference:bid,42596;
> reference:cve,2010-3678; sid:13400004; rev:1;)
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
> Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code
> Execution Attempt"; flow:established,to_client; content:"clsid"; nocase;
> content:"15DBC3F9-9F0A-472E-8061-043D9CEC52F0"; nocase; distance:0;
> content:"extSetOwner"; nocase;
> pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15DBC3F9-9F0A-472E-8061-043D9CEC52F0/si";
> classtype:attempted-user;
> reference:url,www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/
> <http://www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/>;
> sid:13400005; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET DOS Possible
> Oracle MySQL HANDLER Interface Denial Of Service Attempt";
> flow:established,to_server; content:"HANDLER"; nocase; content:"READ";
> nocase; distance:0; content:"NEXT"; nocase; distance:0;
> pcre:"/HANDLER.+READ.+NEXT/i"; classtype:attempted-dos;
> reference:url,bugs.mysql.com/bug.php?id=54007
> <http://bugs.mysql.com/bug.php?id=54007>; reference:bid,42633;
> reference:cve,2010-3681; sid:13400006; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET DOS Possible
> Oracle MySQL DDL Statements Denial Of Service Attempt";
> flow:established,to_server; content:"CREATE"; nocase;
> content:"TEMPORARY"; nocase; distance:0; content:"TABLE"; nocase;
> distance:0; content:"ENGINE"; nocase; distance:0; content:"="; within:2;
> pcre:"/CREATE.+TEMPORARY.+TABLE.+ENGINE/i"; classtype:attempted-dos;
> reference:url,bugs.mysql.com/bug.php?id=55039
> <http://bugs.mysql.com/bug.php?id=55039>; reference:bid,42643;
> reference:cve,2010-3676; sid:13400007; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT Oracle
> MySQL Privilege Escalation Attempt"; flow:established,to_server;
> content:"SET"; nocase; content:"mysql.user.Super_priv='Y'"; nocase;
> distance:0; classtype:attempted-admin; reference:bid,43677;
> sid:13400008; rev:1;)
> 
> 
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMq5QLAAoJENgimYXu6xOH52IP/1zGTdvgGam2e9z/zL8TGmmS
zk661zZwdZx36sqSrpvfTuW/Cgdx1BEPArJrvj8r3wgvxecJUMNfTsUTyk6bCfrt
RT8m2J1icM+K42Le9gJbYHS4IC8nMUm9Q4yw7Cb11JPt3jJSqfA1CeZFP++wQvMp
LnK0jHeAVG6nFYu80NYcibYX4QtD2v2acTqF6pkAD8VpwJ16YCLSd6MZ+J+sdAAr
2to8m4cMK2NighDaT77niYA2UVy5yTA0ZEM9G61pIuorHEXtCX1dRsfjiCBEUBWQ
Zjn9O3MWXHLGh9Cro8VOmPv+YTCO3D3j1xPFECQXWo0VzdZZOh0+crTPq4kjAcqN
kMdPjV/oUxTpbg3CDFuTxkj1LRUR9dj7gI04/8YthtXP0GtQQx9dLLqoavCx9FIr
WzvfQu+69qfKM8M2QRgRxe7IhA4Bwt3U6gztRNFxRV2dDGDcj2LxW8wO6/Y/diSo
V5sQGCGG1NC5AI1/VKkxUXO6vEUGfdmHMJxsfn91l59eGaK7p610fv5yQF1357/W
dOleMSQy6Sye2cwbg8EkRH+79LKrS2QmzJLGpkWl+Zo0jIJ3fLfc6mwtKIwtGHry
x2YuqAUGROFHq3DaqQ3RlXV4tnNNxACzAbzpUSGVLot5JBXBzRVWoxQ/tLc/YolK
efbj1lXRu6bAtpmphz28
=FURK
-----END PGP SIGNATURE-----


More information about the Emerging-sigs mailing list