Operativa
Páginas: 7 (1581 palabras)
Publicado: 8 de diciembre de 2012
#######
# TCP
#
# filter ssh
tcp[(tcp[12]>>2):4] = 0x5353482D && (tcp[((tcp[12]>>2)+4):2] = 0x312E || \
tcp[((tcp[12]>>2)+4):2] = 0x322E)
# filter "combine" rlogin
(tcp[(ip[2:2]-((ip[0]&0x0f)<<2))-1]=0) && \
((ip[2:2]-((ip[0]&0x0f)<<2) - (tcp[12]>>2)) != 0) && \
((ip[2:2]-((ip[0]&0x0f)<<2) -(tcp[12]>>2)) <= 128)
# filter ftp
tcp[(tcp[12]>>2):4] = 0x3232302d || tcp[(tcp[12]>>2):4] = 0x32323020
# URG set and ACK not set
tcp[13] & 0x30 = 0x20
# IMAP service exploit
tcp && (tcp[13] & 2 != 0) && (dst port 143)
# filter root backdoor
tcp[(tcp[12]>>2):2] = 0x2320 && \
(ip[2:2] - ((ip[0]&0x0f)<<2) -(tcp[12]>>2)) == 2
# RST set and FIN set
tcp[13] & 0x05 = 5
# filter out napster
((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) = 4 && \
tcp[(tcp[12]>>2):4] = 0x53454e44) || \
((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) = 3 && \
tcp[(tcp[12]>>2):2] = 0x4745 && tcp[(tcp[12]>>2)+2]=0x54)
# telnet
tcp[2:2] = 23
#again telnet but beter...
(tcp[(tcp[12]>>2):2] > 0xfffa) && (tcp[(tcp[12]>>2):2] < 0xffff)
# attempted ftp connection to other hosts on the network than the ftp server
dst net 82.48.9.1/22 && dst port 21 \
&& (tcp[13] & 0x3f = 2) && !(dst host ftp.bla.org)
# attempts to include data on the initial SYN.
tcp[13] & 0xff = 2&& \
(ip[2:2] - ((ip[0] & 0x0f) * 4) - ((tcp[12] & 0xf0) / 4)) != 0
# active open (syn set without ack)
(tcp[13] & 0x12 < 16)
# winnuke DOS attack
(tcp[2:2] = 139) && (tcp[13] & 0x20 != 0) && (tcp[19] & 0x01 = 1)
# destination port less than 1024
tcp[2:2] < 1024
# SYN set and FIN set
tcp[13] & 0x03 = 3
# one of the reserved bitsof tcp[13] is set
tcp[13] & 0xc0 != 0
# DNS zone transfer
tcp && dst port 53
# active open connection, syn is set, ack is not
tcp[13] & 0x12 = 2
# X11 ports
(tcp[2:2] >= 6000) && (tcp[2:2] < 7000)
# TCP port 6667 with ACK flag set and payload starting at byte 12
# that does not include the asciiwords "PING", "PONG", "JOIN", or "QUIT".
(tcp[13]& 0x10 = 1) && (tcp[0:2]=6667 || tcp[2:2]=6667) \
&& (not ip[32:4] = 1346981447 || not ip[32:4] = 1347374663 \
|| not ip[32:4] = 1246710094 || not ip[32:4] = 1364543828)
# except ack push
(tcp[13] & 0xe7) != 0
# all packets with the PUSH flag set
tcp[13] & 8 != 0
# all packets with the RST flag set
tcp[13] & 4 != 0
# filter out gnutellatcp[(tcp[12]>>2):4] = 0x474e5554 && \
tcp[(4+(tcp[12]>>2)):4] = 0x454c4c41 && tcp[8+(tcp[12]>>2)] = 0x20
# catch default hping 2 pings
tcp [3] = 0 && tcp[13] = 0
# FIN set and ACK not set
tcp[13] & 0x11 = 1
# null scan filter with no flags set
tcp[13] = 0
# could also be written as
tcp[13] & 0xff = 0
# no flags set, null packettcp[13] & 0x3f = 0
# syn-fyn
tcp[13] = 3
# syn-fyn both flags set
(tcp[13] & 0x03) = 3
# only syn..
tcp[13] & 0x02) != 0
# reserved bits set
tcp[14] >= 64
# incomming http requests
(tcp[13:1]&18 = 2) && (port 80) && (ip dst 192.168.1.40)
# broadcasts x.x.x.255
ip[19] = 0xff
# broadcasts x.x.x.0
ip[19] = 0x00
# Incomming SYN packetstcp && (tcp[13] & 0x02 != 0) && \
(tcp[13] & 0x10 = 0) && (not dst port 53) && \
(not dst port 80) && (not dst port 25) && (not dst port 21)
# SMB
dst port 139 && tcp[13:1] & 18 = 2
# ACK flag set, ack value is ZERO. Not normal for three-way handshake.
# Possible capture of NMAP(1) os fingerprinting.
tcp[13] &...
# TCP
#
# filter ssh
tcp[(tcp[12]>>2):4] = 0x5353482D && (tcp[((tcp[12]>>2)+4):2] = 0x312E || \
tcp[((tcp[12]>>2)+4):2] = 0x322E)
# filter "combine" rlogin
(tcp[(ip[2:2]-((ip[0]&0x0f)<<2))-1]=0) && \
((ip[2:2]-((ip[0]&0x0f)<<2) - (tcp[12]>>2)) != 0) && \
((ip[2:2]-((ip[0]&0x0f)<<2) -(tcp[12]>>2)) <= 128)
# filter ftp
tcp[(tcp[12]>>2):4] = 0x3232302d || tcp[(tcp[12]>>2):4] = 0x32323020
# URG set and ACK not set
tcp[13] & 0x30 = 0x20
# IMAP service exploit
tcp && (tcp[13] & 2 != 0) && (dst port 143)
# filter root backdoor
tcp[(tcp[12]>>2):2] = 0x2320 && \
(ip[2:2] - ((ip[0]&0x0f)<<2) -(tcp[12]>>2)) == 2
# RST set and FIN set
tcp[13] & 0x05 = 5
# filter out napster
((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) = 4 && \
tcp[(tcp[12]>>2):4] = 0x53454e44) || \
((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) = 3 && \
tcp[(tcp[12]>>2):2] = 0x4745 && tcp[(tcp[12]>>2)+2]=0x54)
# telnet
tcp[2:2] = 23
#again telnet but beter...
(tcp[(tcp[12]>>2):2] > 0xfffa) && (tcp[(tcp[12]>>2):2] < 0xffff)
# attempted ftp connection to other hosts on the network than the ftp server
dst net 82.48.9.1/22 && dst port 21 \
&& (tcp[13] & 0x3f = 2) && !(dst host ftp.bla.org)
# attempts to include data on the initial SYN.
tcp[13] & 0xff = 2&& \
(ip[2:2] - ((ip[0] & 0x0f) * 4) - ((tcp[12] & 0xf0) / 4)) != 0
# active open (syn set without ack)
(tcp[13] & 0x12 < 16)
# winnuke DOS attack
(tcp[2:2] = 139) && (tcp[13] & 0x20 != 0) && (tcp[19] & 0x01 = 1)
# destination port less than 1024
tcp[2:2] < 1024
# SYN set and FIN set
tcp[13] & 0x03 = 3
# one of the reserved bitsof tcp[13] is set
tcp[13] & 0xc0 != 0
# DNS zone transfer
tcp && dst port 53
# active open connection, syn is set, ack is not
tcp[13] & 0x12 = 2
# X11 ports
(tcp[2:2] >= 6000) && (tcp[2:2] < 7000)
# TCP port 6667 with ACK flag set and payload starting at byte 12
# that does not include the asciiwords "PING", "PONG", "JOIN", or "QUIT".
(tcp[13]& 0x10 = 1) && (tcp[0:2]=6667 || tcp[2:2]=6667) \
&& (not ip[32:4] = 1346981447 || not ip[32:4] = 1347374663 \
|| not ip[32:4] = 1246710094 || not ip[32:4] = 1364543828)
# except ack push
(tcp[13] & 0xe7) != 0
# all packets with the PUSH flag set
tcp[13] & 8 != 0
# all packets with the RST flag set
tcp[13] & 4 != 0
# filter out gnutellatcp[(tcp[12]>>2):4] = 0x474e5554 && \
tcp[(4+(tcp[12]>>2)):4] = 0x454c4c41 && tcp[8+(tcp[12]>>2)] = 0x20
# catch default hping 2 pings
tcp [3] = 0 && tcp[13] = 0
# FIN set and ACK not set
tcp[13] & 0x11 = 1
# null scan filter with no flags set
tcp[13] = 0
# could also be written as
tcp[13] & 0xff = 0
# no flags set, null packettcp[13] & 0x3f = 0
# syn-fyn
tcp[13] = 3
# syn-fyn both flags set
(tcp[13] & 0x03) = 3
# only syn..
tcp[13] & 0x02) != 0
# reserved bits set
tcp[14] >= 64
# incomming http requests
(tcp[13:1]&18 = 2) && (port 80) && (ip dst 192.168.1.40)
# broadcasts x.x.x.255
ip[19] = 0xff
# broadcasts x.x.x.0
ip[19] = 0x00
# Incomming SYN packetstcp && (tcp[13] & 0x02 != 0) && \
(tcp[13] & 0x10 = 0) && (not dst port 53) && \
(not dst port 80) && (not dst port 25) && (not dst port 21)
# SMB
dst port 139 && tcp[13:1] & 18 = 2
# ACK flag set, ack value is ZERO. Not normal for three-way handshake.
# Possible capture of NMAP(1) os fingerprinting.
tcp[13] &...
Leer documento completo
Regístrate para leer el documento completo.