-
Notifications
You must be signed in to change notification settings - Fork 0
/
emerging-icmp_info.rules
172 lines (104 loc) · 17.5 KB
/
emerging-icmp_info.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2019, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-4.0-enhanced.
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Address Mask Request"; icode:0; itype:17; classtype:misc-activity; sid:2100388; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Alternate Host Address"; icode:0; itype:6; classtype:misc-activity; sid:2100390; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Destination Host Unknown"; icode:7; itype:3; classtype:misc-activity; sid:2100394; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Destination Network Unknown"; icode:6; itype:3; classtype:misc-activity; sid:2100395; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Fragmentation Needed and DF bit was set"; icode:4; itype:3; classtype:misc-activity; sid:2100396; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Host Precedence Violation"; icode:14; itype:3; classtype:misc-activity; sid:2100397; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Host Unreachable for Type of Service"; icode:12; itype:3; classtype:misc-activity; sid:2100398; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Host Unreachable"; icode:1; itype:3; classtype:misc-activity; sid:2100399; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Network Unreachable for Type of Service"; icode:11; itype:3; classtype:misc-activity; sid:2100400; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Network Unreachable"; icode:0; itype:3; classtype:misc-activity; sid:2100401; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Port Unreachable"; icode:3; itype:3; classtype:misc-activity; sid:2100402; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Precedence Cutoff in effect"; icode:15; itype:3; classtype:misc-activity; sid:2100403; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Protocol Unreachable"; icode:2; itype:3; classtype:misc-activity; sid:2100404; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Source Host Isolated"; icode:8; itype:3; classtype:misc-activity; sid:2100405; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Source Route Failed"; icode:5; itype:3; classtype:misc-activity; sid:2100406; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Echo Reply"; icode:0; itype:0; classtype:misc-activity; sid:2100408; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Fragment Reassembly Time Exceeded"; icode:1; itype:11; classtype:misc-activity; sid:2100410; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO IPV6 I-Am-Here"; icode:0; itype:34; classtype:misc-activity; sid:2100411; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO IPV6 Where-Are-You"; icode:0; itype:33; classtype:misc-activity; sid:2100413; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO IRDP router advertisement"; itype:9; reference:arachnids,173; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:2100363; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO IRDP router selection"; itype:10; reference:arachnids,174; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:2100364; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Information Request"; icode:0; itype:15; classtype:misc-activity; sid:2100417; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Mobile Host Redirect"; icode:0; itype:32; classtype:misc-activity; sid:2100419; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Mobile Registration Reply"; icode:0; itype:36; classtype:misc-activity; sid:2100421; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Mobile Registration Request"; icode:0; itype:35; classtype:misc-activity; sid:2100423; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING *NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; classtype:misc-activity; sid:2100366; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING BSDtype"; itype:8; content:"|08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17|"; depth:32; reference:arachnids,152; classtype:misc-activity; sid:2100368; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING BayRS Router"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F|"; depth:32; reference:arachnids,438; reference:arachnids,444; classtype:misc-activity; sid:2100369; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING BeOS4.x"; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 08 09 0A 0B|"; depth:32; reference:arachnids,151; classtype:misc-activity; sid:2100370; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Cisco Type.x"; itype:8; content:"|AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD|"; depth:32; reference:arachnids,153; classtype:misc-activity; sid:2100371; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Flowpoint2200 or Network Management Software"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10|"; depth:32; reference:arachnids,156; classtype:misc-activity; sid:2100373; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING IP NetMonitor Macintosh"; itype:8; content:"|A9| Sustainable So"; depth:32; reference:arachnids,157; classtype:misc-activity; sid:2100374; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING LINUX/*BSD"; dsize:8; id:13170; itype:8; reference:arachnids,447; classtype:misc-activity; sid:2100375; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Microsoft Windows"; itype:8; content:"0123456789abcdefghijklmnop"; depth:32; reference:arachnids,159; classtype:misc-activity; sid:2100376; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Network Toolbox 3 Windows"; itype:8; content:"================"; depth:32; reference:arachnids,161; classtype:misc-activity; sid:2100377; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Ping-O-MeterWindows"; itype:8; content:"OMeterObeseArmad"; depth:32; reference:arachnids,164; classtype:misc-activity; sid:2100378; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Pinger Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00 00|"; depth:32; reference:arachnids,163; classtype:misc-activity; sid:2100379; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Seer Windows"; itype:8; content:"|88 04| "; depth:32; reference:arachnids,166; classtype:misc-activity; sid:2100380; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Sun Solaris"; dsize:8; itype:8; reference:arachnids,448; classtype:misc-activity; sid:2100381; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw"; depth:32; reference:arachnids,168; classtype:misc-activity; sid:2100482; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; reference:arachnids,169; classtype:misc-activity; sid:2100382; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING speedera"; itype:8; content:"89|3A 3B|<=>?"; depth:100; classtype:misc-activity; sid:2100480; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING"; icode:0; itype:8; classtype:misc-activity; sid:2100384; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Redirect for TOS and Host"; icode:3; itype:5; classtype:misc-activity; sid:2100436; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Redirect for TOS and Network"; icode:2; itype:5; classtype:misc-activity; sid:2100437; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Router Advertisement"; icode:0; itype:9; reference:arachnids,173; classtype:misc-activity; sid:2100441; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Router Selection"; icode:0; itype:10; reference:arachnids,174; classtype:misc-activity; sid:2100443; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO SKIP"; icode:0; itype:39; classtype:misc-activity; sid:2100445; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Source Quench"; icode:0; itype:4; classtype:bad-unknown; sid:2100477; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim"; depth:32; reference:arachnids,167; classtype:misc-activity; sid:2100481; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Timestamp Reply"; icode:0; itype:14; classtype:misc-activity; sid:2100451; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Timestamp Request"; icode:0; itype:13; classtype:misc-activity; sid:2100453; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:misc-activity; sid:2100455; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Traceroute"; icode:0; itype:30; classtype:misc-activity; sid:2100456; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO redirect host"; icode:1; itype:5; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:2100472; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO redirect net"; icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:bad-unknown; sid:2100473; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:attempted-recon; sid:2100475; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO traceroute"; itype:8; ttl:1; reference:arachnids,118; classtype:attempted-recon; sid:2100385; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO unassigned type 1"; icode:0; itype:1; classtype:misc-activity; sid:2100458; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO unassigned type 2"; icode:0; itype:2; classtype:misc-activity; sid:2100460; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO unassigned type 7"; icode:0; itype:7; classtype:misc-activity; sid:2100462; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ICMP_INFO Address Mask Reply"; icode:0; itype:18; classtype:misc-activity; sid:2100386; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ICMP_INFO Information Reply"; icode:0; itype:16; classtype:misc-activity; sid:2100415; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp any any -> any any (msg:"GPL ICMP_INFO Destination Unreachable Communication Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:2100485; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp any any -> any any (msg:"GPL ICMP_INFO Destination Unreachable Communication with Destination Host is Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:2100486; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert icmp any any -> any any (msg:"GPL ICMP_INFO Destination Unreachable Communication with Destination Network is Administratively Prohibited"; icode:9; itype:3; classtype:misc-activity; sid:2100487; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)