#
###############################################################################
# This is the signatures file used by psad to look for suspect network traffic
# that is readily identifiable through attributes in single packets rather than
# setting thresholds on several packets in order to determine whether some ip
# is scanning your machine.  Most of these signatures were adapted from the
# Snort intrusion detection system (http://www.snort.org).
#
# NOTE:  New signatures may be constructed using the format shown below but
# tcp flags MUST appear in the order in which they are reported by iptables log
# messages.  This order is: "URG, ACK, PSH, RST, SYN, FIN"
#
# Also, as of psad 0.9.0 the only supported transport header fields are the
# port number and the tcp flags.  Later versions will support other header
# fields that ip tables can report such as with --log-tcp-option,
# --log-tcp-sequence, --log-ip-options, etc...
#
###############################################################################
#
# $Id: psad_signatures,v 1.18 2003/06/19 00:53:46 mbr Exp $
#

############# tcp signatures #############
# Backdoor signatures
psad:0001; tcp; any -> 1524;  msg: "default Backdoor access!"; flags: S; dlevel: 1;
psad:0002; tcp; any -> 12345; msg: "Netbus/GabanBus"; flags: S; dlevel: 1;
psad:0003; tcp; any -> 12346; msg: "Netbus/GabanBus"; flags: S; dlevel: 1;
psad:0004; tcp; any -> 12361; msg: "Whack-a-mole"; flags: S; dlevel: 1;
psad:0005; tcp; any -> 12362; msg: "Whack-a-mole"; flags: S; dlevel: 1;
psad:0006; tcp; any -> 31337; msg: "BIND Shell"; flags: S; dlevel: 2;
psad:0007; tcp; any -> 30100; msg: "Possible NetSphere access"; flags:S; dlevel: 1;
psad:0008; tcp; any -> 30102; msg: "Possible NetSphere FTP access"; flags: S; dlevel: 1;
psad:0009; tcp; any -> 21554; msg: "Possible GirlFriend access"; flags: S; dlevel: 1;
psad:0010; tcp; any -> 23456; msg: "Possible EvilFTP access"; flags: S; dlevel: 1;
psad:0011; tcp; any -> 1243;  msg: "Possible SubSeven access"; flags: S; dlevel: 2;
psad:0012; tcp; any -> 6776;  msg: "Possible SubSeven access"; flags: S; dlevel: 2;

# DDoS signatures
psad:0013; tcp; any -> 15104; msg: "DDoS - mstream client to handler"; flags: S; dlevel: 1;
psad:0014; tcp; any -> 20432; msg: "DDoS shaft client to handler"; flags: AP; dlevel: 1;
# tcp :1024 -> any msg:"IDS253 - DDoS shaft synflood outgoing"; flags: S; seq: 674711609; dlevel: 1;
# tcp :1024 -> any msg:"IDS252 - DDoS shaft synflood incoming"; flags: S; seq: 674711609; dlevel: 1;

# Miscellaneous signatures
psad:0015; tcp; 6000:6005 -> any; msg: "Outgoing Xterm"; flags: AS; dlevel: 1;
psad:0016; tcp; 53 -> :1023;  msg: "MISC-Source Port Traffic 53 TCP"; flags: S; dlevel: 1;
psad:0017; tcp; 20 -> :1023;  msg: "MISC-Source Port Traffic 20 TCP"; flags: S; dlevel: 1;
psad:0018; tcp; !53 -> 1080;  msg: "MISC-WinGate-1080-Attempt"; flags: S; dlevel: 1;
psad:0019; tcp; !53 -> 8080;  msg: "MISC-WinGate-8080-Attempt"; flags: S; dlevel: 1;
psad:0020; tcp; any -> 32771; msg: "MISC-Attempted Sun RPC high port access"; dlevel: 1;
psad:0021; tcp; 7161 -> any;  msg: "CVE-1999-0430 - Cisco Catalyst Remote Access"; flags: AS; dlevel: 1;
# tcp any -> any msg:"MISC-Traceroute TCP"; ttl:"1"; dlevel: 1; 
# tcp any -> any ipopts: lsrr; msg: "Source routed packet"; dlevel: 1; 
# tcp any -> 617 msg:"MISC Knox Arkeia DOS"; flags:AP; dsize:>1445; dlevel: 1; 
# tcp any -> any ipopts: ssrr; msg: "Source routed packet"; dlevel: 1; 
# tcp any -> 617 msg:"IDS261 - MISC DoS arkiea backup"; flags: AP; dsize: >1445; dlevel: 1; 

# "tcp ping" signature
# tcp any -> any msg:"IDS028 - PING NMAP TCP"; flags:A; ack:0; dlevel: 1; 

### DNS probe
psad:0022; tcp; any -> 53; msg: "DNS tcp probe"; flags: SF; dlevel: 2;

### oddball scans OS fingerprinting, SYN-FIN, etc...
psad:0023; tcp; any -> any; msg: "Possible NMAP Fingerprint attempt"; flags: UPSF; dlevel: 2;
psad:0024; tcp; any -> any; msg: "SCAN-Possible NMAP Fingerprint attempt"; flags: UPSF; dlevel: 2;
psad:0025; tcp; any -> any; msg: "SCAN-SYN FIN"; flags: SF; dlevel: 2;
psad:0026; tcp; any -> any; msg: "SCAN-NULL"; flags: N; dlevel: 2;
psad:0027; tcp; any -> any; msg: "NMAP XMAS scan"; flags: UPF; dlevel: 2;
psad:0028; tcp; any -> any; msg: "SCAN-FIN"; flags: F; dlevel: 2;
# tcp any -> any msg:"IDS236 - SCAN-IP Eye SYN Scan"; flags: S; seq: 1958810375; dlevel: 1; 
# tcp any -> any msg:"IDS004 - SCAN-NULL Scan"; flags:0; seq:0; ack:0; dlevel: 1; 
# tcp any -> any msg:"IDS029 - SCAN-Possible Queso Fingerprint attempt"; flags:S12; dlevel: 1; 
# tcp any -> any msg:"Possible Queso Fingerprint attempt"; flags: S12; dlevel: 1;
# tcp any -> any flags: A; ack: 0; msg:"NMAP TCP ping!"; dlevel: 1;
# tcp any -> 80 msg:"IDS146 - SCAN-Cybercop OS Probe sf12"; flags: SF12; dsize: 0; dlevel: 1; 

# IIS scans.  Ha, ha, our Linux box is not vulnerable but if it is the firewall for a network that runs
# Windoze boxen wouldn't you want to know when someone is trying these?
psad:0029; tcp; 1024: -> 1031:1035; msg: "IIS - Possible Attempt at NT INETINFO.EXE 100% CPU Utilization"; flags: S; dlevel: 1;
psad:0030; tcp; 1024: -> 1029; msg: "IIS - Possible Attempt at NT DNS.EXE 100% CPU Utilization (port 1029)"; flags: S; dlevel: 1;
psad:0031; tcp; 1024: -> 1091; msg: "IIS - Possible Attempt at NT DNS.EXE 100% CPU Utilization (port 1091)"; flags: S; dlevel: 1;
psad:0032; tcp; 1024: -> 1043; msg: "IIS - Possible Attempt at NT WINS.EXE 100% CPU Utilization"; flags: S; dlevel: 1;
psad:0033; tcp; 1024: -> 1038; msg: "IIS - Possible Attempt at NT TCPSVCS.EXE 100% CPU Utilization"; flags: S; dlevel: 1;

############# udp signatures #############
# psad needs to support other packet fields such as ttl, len, etc. to recognize more signatures
psad:0034; udp; any -> 31337; msg: "Back Orifice"; dlevel: 2;
psad:0035; udp; any -> 31338; msg: "Deep Back Orifice"; dlevel: 2;
psad:0036; udp; 53 -> 138:1023; msg: "MISC-Source Port Traffic 138-1023"; dlevel: 1;
psad:0037; udp; 53 -> 54:136;   msg: "MISC-Source Port Traffic 54-136"; dlevel: 1;
psad:0038; udp; 53 -> 0:52;     msg: "MISC-Source Port Traffic 0-52"; dlevel: 1;

############ icmp signatures #############
psad:0039; icmp; msg: "DDoS - TFN client command LE"; itype: 0; icmp_id: 51201; icmp_seq: 0; dlevel: 1;
psad:0040; icmp; msg: "DDoS - TFN client command BE"; itype: 0; icmp_id: 456; icmp_seq: 0; dlevel: 1;
psad:0041; icmp; msg: "MISC-IRDP-Router-Selection(l0phtattack)";itype:10; dlevel: 1;
psad:0042; icmp; msg: "MISC-IRDPRouterSelection";itype:10; dlevel: 1;
psad:0043; icmp; msg: "MISC-IRDPRouterAdvertisement";itype:9; dlevel: 1;
psad:0044; icmp; msg: "CVE-1999-0265 - MISC-ICMPRedirectNet";itype:5;icode:0; dlevel: 1;
psad:0045; icmp; msg: "CVE-1999-0265 - MISC-ICMPRedirectHost";itype:5;icode:1; dlevel: 1;
psad:0046; icmp; msg: "MISC-Traceroute ICMP";ttl:1;itype:8; dlevel: 1;
psad:0047; icmp; msg: "ICMP Message"; itype:18; dlevel: 1;
psad:0048; icmp; msg: "ICMP Destination Unreachable"; itype:3; dlevel: 1;
psad:0049; icmp; msg: "ICMP Source Quench"; itype:4; dlevel: 1;
psad:0050; icmp; msg: "ICMP Time Exceeded"; itype:11; dlevel: 1;
psad:0051; icmp; msg: "ICMP Parameter Problem"; itype:12; dlevel: 1;
psad:0052; icmp; msg: "ICMP Timestamp"; itype:13; dlevel: 1;
psad:0053; icmp; msg: "ICMP Information Request"; itype:15; dlevel: 1;
psad:0054; icmp; msg: "ICMP Information Reply"; itype:16; dlevel: 1;
psad:0055; icmp; msg: "ICMP Subnet Mask Request"; itype:17; dlevel: 1;
psad:0056; icmp; msg: "Windows Traceroute"; TTL: 1; itype: 8; dlevel: 1;
# icmp msg:"echo request"; TTL: 64; itype: 8; dlevel: 1;
# icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"IDS193 - DDoS - Stacheldraht server-spoof"; itype: 0; icmp_id: 666;
