 'netbios' rule: |
||
|
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved. # $Id: snortruleinfo.cgi_netbios.html,v 1.1.1.1 2005/11/22 10:15:17 root Exp $ #-------------- # NETBIOS RULES #-------------- alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"IPC|24 00|"; nocase; distance:2; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:537; rev:14;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ unicode share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; nocase; distance:2; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:538; rev:14;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"IPC|24 00|"; nocase; distance:2; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2465; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; nocase; distance:2; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2466; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|24 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:536; rev:10;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ unicode share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2467; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|24 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2468; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ unicode share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2469; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|24 00|"; nocase; distance:2; content:!"IPC|24 00|"; nocase; distance:-5; within:5; classtype:protocol-command-decode; sid:533; rev:14;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ unicode share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; nocase; distance:2; content:!"I|00|P|00|C|00 24 00 00 00|"; nocase; distance:-10; within:10; classtype:protocol-command-decode; sid:2470; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|24 00|"; nocase; distance:2; content:!"IPC|24 00|"; nocase; distance:-5; within:5; classtype:protocol-command-decode; sid:2471; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ unicode share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; nocase; distance:2; content:!"I|00|P|00|C|00 24 00 00 00|"; nocase; distance:-10; within:10; classtype:protocol-command-decode; sid:2472; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:532; rev:11;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2473; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2474; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBu"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2475; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A2|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|winreg|00|"; nocase; distance:51; within:8; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2174; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A2|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; nocase; distance:51; within:16; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2175; rev:7;) # where did these come from? I don't know. lets disable them for real for now # and deal with it later... ### alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C|winreg|00|"; offset:85; nocase; classtype:attempted-recon; rev:2;) ### alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00|"; offset:85; nocase; classtype:attempted-recon; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A2|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|winreg|00|"; nocase; distance:51; within:8; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2476; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A2|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; nocase; distance:51; within:16; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2477; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg bind attempt"; flowbits:isset,smb.tree.create.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2478; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode bind attempt"; flowbits:isset,smb.tree.create.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2479; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 18|"; distance:19; within:2; classtype:protocol-command-decode; sid:2480; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode little endian attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|18 00|"; distance:19; within:2; classtype:protocol-command-decode; sid:2481; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 18|"; distance:19; within:2; classtype:protocol-command-decode; sid:2482; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown little endian attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|18 00|"; distance:19; within:2; classtype:protocol-command-decode; sid:2483; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; flow:to_server,established; content:"|00|.|00|E|00|M|00|L"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1293; rev:10;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; flow:to_server,established; content:"|00|.|00|N|00|W|00|S"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1294; rev:10;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda RICHED20.DLL"; flow:to_server,established; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1295; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS DOS RFPoison"; flow:to_server,established; content:"|5C 00 5C 00|*|00|S|00|M|00|B|00|S|00|E|00|R|00|V|00|E|00|R|00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|"; reference:arachnids,454; classtype:attempted-dos; sid:529; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; reference:arachnids,204; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:530; rev:10;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:1239; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; reference:arachnids,338; classtype:attempted-recon; sid:534; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; reference:arachnids,337; classtype:attempted-recon; sid:535; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB startup folder access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase; classtype:attempted-recon; sid:2176; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; classtype:attempted-recon; sid:2177; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Samba clientaccess"; flow:to_server,established; content:"|00|Unix|00|Samba"; reference:arachnids,341; classtype:not-suspicious; sid:539; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00 00 00|"; depth:4; offset:43; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; sid:2101; rev:11;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 14|"; depth:2; offset:60; byte_test:2,>,256,0,relative,little; reference:bugtraq,7294; reference:cve,2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2103; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2190; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2191; rev:3;) alert tcp $HOME_NET 135 -> $EXTERNAL_NET any (msg:"NETBIOS DCERPC ISystemActivator bind accept"; flow:from_server,established; content:"|05|"; within:1; content:"|0C|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00 00|"; within:2; distance:33; flowbits:isset,dce.isystemactivator.bind.attempt; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2350; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt little endian"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,little,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2351; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt big endian"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,<,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2352; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.attempt; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2192; rev:10;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2193; rev:11;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2491; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2492; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2493; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2251; rev:14;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2252; rev:14;) alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2257; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2258; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2308; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2309; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2310; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2311; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"|05 00 0B|"; depth:3; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2315; rev:6;) alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2316; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC print spool bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 0B|"; within:17; distance:5; byte_test:1,&,16,1,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:29; flowbits:set,dce.printer.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2348; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC enumerate printers request attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; distance:1; content:"|00|"; within:1; distance:1; byte_test:1,&,3,0,relative; content:"|00 00|"; within:2; distance:19; flowbits:isset,dce.printer.bind; classtype:attempted-recon; sid:2349; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBs"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; distance:27; within:7; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; classtype:protocol-command-decode; sid:2382; rev:16;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBs"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; distance:27; within:7; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; classtype:protocol-command-decode; sid:2383; rev:16;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2401; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2402; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup AndX request unicode username overflow attempt"; flow:to_server,established; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little; content:"|00|"; distance:56; content:"|00 00|"; distance:255; content:"|00 00|"; distance:0; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2403; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"; flow:to_server,established; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little; content:"|00|"; distance:56; content:"|00 00|"; distance:255; content:"|00 00|"; distance:0; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2404; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2494; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2495; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2496; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2507; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2524; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; flowbits:isset,netbios.lsass.bind.attempt; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2508; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2509; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2510; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2525; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2511; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2512; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2526; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2513; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2514; rev:7;) alert udp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"NETBIOS NS lookup response name overflow attempt"; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; reference:bugtraq,10333; reference:bugtraq,10334; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2563; rev:4;) alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup short response attempt"; dsize:<56; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; reference:bugtraq,10334; reference:bugtraq,10335; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512C.html; classtype:attempted-admin; sid:2564; rev:4;) alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS repeated logon failure"; flow:from_server,established; content:"|ff|SMB"; offset:4; depth:4; content:"|73|"; distance:0; within:1; content:"|6d0000c0|"; distance:0; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2924; rev:2;) alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"NETBIOS SMB repeated logon failure"; flow:from_server,established; content:"|ff|SMB"; offset:4; depth:4; content:"|73|"; distance:0; within:1; content:"|6d0000c0|"; distance:0; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2923; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi bind attempt"; flowbits:isset,smb.tree.create.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; within:16; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2932; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown unicode andx attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 18|"; distance:19; within:2; classtype:protocol-command-decode; sid:2994; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; nocase; distance:2; content:!"IPC|24 00|"; nocase; distance:-5; within:5; classtype:protocol-command-decode; sid:2976; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW unicode overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0C|"; distance:19; within:2; isdataat:512,relative; content:!"|00 00|"; distance:12; within:512; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2939; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi andx create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; nocase; distance:51; within:9; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2958; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW unicode overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0C|"; distance:19; within:2; isdataat:512,relative; content:!"|00 00|"; distance:12; within:512; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2937; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg andx bind attempt"; flowbits:isset,smb.tree.create.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2988; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0C 00|"; distance:19; within:2; isdataat:512,relative; content:!"|00 00|"; distance:12; within:512; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2971; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode andx bind attempt"; flowbits:isset,smb.tree.create.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2989; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown unicode attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 18|"; distance:19; within:2; classtype:protocol-command-decode; sid:2944; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2972; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0C|"; distance:19; within:2; isdataat:256,relative; content:!"|00|"; distance:12; within:256; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2936; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; nocase; distance:2; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2953; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg andx create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; nocase; distance:51; within:8; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2984; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ unicode andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; nocase; distance:2; content:!"I|00|P|00|C|00 24 00 00 00|"; nocase; distance:-10; within:10; classtype:protocol-command-decode; sid:2979; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi unicode andx bind attempt"; flowbits:isset,smb.tree.create.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; within:16; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2961; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi andx bind attempt"; flowbits:isset,smb.tree.create.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; within:16; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2960; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0C 00|"; distance:19; within:2; isdataat:256,relative; content:!"|00|"; distance:12; within:256; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2948; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0C 00|"; distance:19; within:2; isdataat:512,relative; content:!"|00 00|"; distance:12; within:512; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2949; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A2|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|nddeapi|00|"; nocase; distance:51; within:9; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2930; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi unicode create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A2|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; nocase; distance:51; within:18; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2931; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0C|"; distance:19; within:2; isdataat:512,relative; content:!"|00 00|"; distance:12; within:512; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2970; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0C 00|"; distance:19; within:2; isdataat:256,relative; content:!"|00|"; distance:12; within:256; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2965; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; distance:-36; within:1; classtype:protocol-command-decode; sid:2951; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|18 00|"; distance:19; within:2; classtype:protocol-command-decode; sid:2997; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode andx create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; nocase; distance:51; within:16; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2985; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW unicode little endian overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0C 00|"; distance:19; within:2; isdataat:512,relative; content:!"|00 00|"; distance:12; within:512; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2947; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; nocase; distance:2; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2954; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown little endian attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|18 00|"; distance:19; within:2; classtype:protocol-command-decode; sid:2943; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 18|"; distance:19; within:2; classtype:protocol-command-decode; sid:2998; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi unicode bind attempt"; flowbits:isset,smb.tree.create.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; within:16; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2935; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi andx bind attempt"; flowbits:isset,smb.tree.create.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; within:16; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2962; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ unicode andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; nocase; distance:2; content:!"I|00|P|00|C|00 24 00 00 00|"; nocase; distance:-10; within:10; classtype:protocol-command-decode; sid:2977; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; nocase; distance:2; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2955; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2981; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown little endian andx attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|18 00|"; distance:19; within:2; classtype:protocol-command-decode; sid:2993; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 18|"; distance:19; within:2; classtype:protocol-command-decode; sid:2942; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0C 00|"; distance:19; within:2; isdataat:256,relative; content:!"|00|"; distance:12; within:256; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2969; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ unicode andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2973; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|18 00|"; distance:19; within:2; classtype:protocol-command-decode; sid:2999; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; nocase; distance:2; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2952; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0C|"; distance:19; within:2; isdataat:512,relative; content:!"|00 00|"; distance:12; within:512; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2966; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg bind attempt"; flowbits:isset,smb.tree.create.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2940; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown andx attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 18|"; distance:19; within:2; classtype:protocol-command-decode; sid:2996; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi unicode andx bind attempt"; flowbits:isset,smb.tree.create.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; within:16; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2963; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi unicode andx create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; nocase; distance:51; within:18; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2959; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg andx bind attempt"; flowbits:isset,smb.tree.create.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2990; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown andx attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 18|"; distance:19; within:2; classtype:protocol-command-decode; sid:2992; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg andx create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; nocase; distance:51; within:8; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2986; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi unicode create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A2|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; nocase; distance:51; within:18; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2929; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi andx create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; nocase; distance:51; within:9; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2956; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW little endian overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0C 00|"; distance:19; within:2; isdataat:256,relative; content:!"|00|"; distance:12; within:256; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2946; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi bind attempt"; flowbits:isset,smb.tree.create.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; within:16; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2934; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; nocase; distance:2; content:!"IPC|24 00|"; nocase; distance:-5; within:5; classtype:protocol-command-decode; sid:2978; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2982; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|0C 00|"; distance:19; within:2; isdataat:512,relative; content:!"|00 00|"; distance:12; within:512; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2967; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi unicode andx create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; nocase; distance:51; within:18; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2957; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode bind attempt"; flowbits:isset,smb.tree.create.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2941; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|18 00|"; distance:19; within:2; classtype:protocol-command-decode; sid:2995; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; distance:-36; within:1; classtype:protocol-command-decode; sid:2950; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2974; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode andx create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; nocase; distance:51; within:16; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2987; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0C|"; distance:19; within:2; isdataat:256,relative; content:!"|00|"; distance:12; within:256; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2938; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0C|"; distance:19; within:2; isdataat:256,relative; content:!"|00|"; distance:12; within:256; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2964; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2980; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2983; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode andx bind attempt"; flowbits:isset,smb.tree.create.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; within:16; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2991; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi unicode bind attempt"; flowbits:isset,smb.tree.create.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; distance:1; within:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; within:16; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2933; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown unicode little endian attempt"; flowbits:isset,smb.tree.bind.winreg; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB%"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; distance:29; within:2; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|18 00|"; distance:19; within:2; classtype:protocol-command-decode; sid:2945; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi create tree attempt"; flowbits:isset,smb.tree.connect.ipc; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A2|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|nddeapi|00|"; nocase; distance:51; within:9; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:protocol-command-decode; sid:2928; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt"; flowbits:isset,smb.tree.bind.nddeapi; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"&|00|"; distance:29; within:2; content:"|5C|PIPE|5C 00|"; nocase; distance:4; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; distance:1; within:1; content:"|00 0C|"; distance:19; within:2; isdataat:256,relative; content:!"|00|"; distance:12; within:256; reference:bugtraq,11372; reference:cve,CAN-2004-0206; classtype:attempted-admin; sid:2968; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ unicode andx share access"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; nocase; distance:2; classtype:protocol-command-decode; sid:2975; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; distance:27; within:7; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; classtype:protocol-command-decode; sid:3004; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBs"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; distance:27; within:7; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; classtype:protocol-command-decode; sid:3003; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; distance:27; within:7; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; classtype:protocol-command-decode; sid:3005; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; distance:27; within:7; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; classtype:protocol-command-decode; sid:3002; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMBs"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; distance:27; within:7; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; classtype:protocol-command-decode; sid:3000; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; offset:39; depth:1; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; distance:27; within:7; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; classtype:protocol-command-decode; sid:3001; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3051; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3036; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3025; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3027; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3044; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3030; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3047; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3054; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3057; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3021; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3032; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3048; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3050; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3024; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3026; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3035; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3041; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3046; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3053; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3043; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3042; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3019; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3020; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3034; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3029; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3052; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3023; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3039; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3037; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3045; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3031; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3028; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3018; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3056; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3055; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3040; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3022; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; content:"|00 00|"; distance:-10; within:2; classtype:protocol-command-decode; sid:3049; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; distance:3; within:4; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; offset:39; depth:1; byte_jump:2,0,little,relative; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:12; within:4; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3033; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|A0|"; distance:3; within:5; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; distance:37; within:2; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; distance:16; within:4; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3038; rev:1;) |
||