GROUP_NAME=MISC_HUNGRY
GROUP_DESCRIPTION=This group contains a few custom Dragon NIDS signatures which are known to be CPU-hungry. They should not be enabled on heavily loaded sensors if possible.
# $Id: MISC_HUNGRY.lib,v 1.2 2006/05/19 15:10:31 hlein Exp $

NAME=IE:MIDI-EMBED
SIGNATURE=T S A S 10 0 W IE:MIDI-EMBED  /3cembed/20src/3d , /2emid
DESCRIPTION=Temporary signature for MS2003-030 (buffer overrun in the MIDI handler of DirectX).  This signature looks for any HTML EMBED tags referring to a .mid file.  Most hits are likely to be false positives.
CERT=CA-2003-18
MODIFIED=Y
DISABLED=N

NAME=IE:MIDI-IMGDYNSRC
SIGNATURE=T S A S 10 0 W IE:MIDI-IMGDYNSRC        /3cimg/20dynsrc/3d , /2emid
DESCRIPTION=Temporary signature for MS2003-030 (buffer overrun in the MIDI handler of DirectX).  This signature looks for any HTML EMBED tags referring to a .mid file.  Most hits are likely to be false positives.
CERT=CA-2003-18
MODIFIED=Y
DISABLED=N

NAME=IE:MIDI-IMGSRC
SIGNATURE=T S A S 10 0 W IE:MIDI-IMGSRC /3cimg/20src/3d , /2emid
DESCRIPTION=Temporary signature for MS2003-030 buffer overrun in the MIDI handler of DirectX.  This signature looks for any HTML EMBED tags referring to a .mid file.
MODIFIED=Y
DISABLED=Y

NAME=IE:MHTML-FILE
SIGNATURE=T S A S 10 0 W IE:MHTML-FILE codebase/3d/27mhtml/3afile/3a/2f/2f
DESCRIPTION=There is a feature in Internet Explorer when it tries to retrieve a file embedded in an MHT file, like:mhtml:Mhtml_File_Url!Original_Resource_Url  If Original_Resource_Url cannot be retrieved from Mhtml_File_Url, IE will try to downloadOriginal_Resource_Url and return the downloaded content.  --From the original writeup--
BUGTRAQ=9105
URL=http://www.securityfocus.com/archive/1/345615
MODIFIED=Y
DISABLED=N

NAME=SPOOF:VISA-NAC-URL
SIGNATURE=T D A B 100 0 W SPOOF:VISA-NAC-URL GET/20/2f/7egotier/2fverified/5fby/5fvisa/2ehtm/20HTTP/2f
Description=On 2003-12-23 many people began receiving spam mail claiming to be from Visa which contained links spoofed to look like they came from visa.com, which launched a Javascript popup to harvest users' credit card numbers.  This signature triggers on a GET of the initial URL sent in the emails.
URL=https://marc.theaimsgroup.com/?t=107218191100002&r=1&w=2
MODIFIED=Y
DISABLED=N

NAME=SPOOF:VISA-NAC-POPUP
SIGNATURE=T D A B 100 0 W SPOOF:VISA-NAC-POPUP GET/20/2f/7egotier/2fr/2ephp/20HTTP/2f
Description=On 2003-12-23 many people began receiving spam mail claiming to be from Visa which contained links spoofed to look like they came from visa.com, which launched a Javascript popup to harvest users' credit card numbers.  This signature triggers on a GET of the popup card-harvesting page.
URL=https://marc.theaimsgroup.com/?t=107218191100002&r=1&w=2
MODIFIED=Y
DISABLED=N

NAME=GENERIC:UPX-VER
SIGNATURE=T D A B 50 800 A GENERIC:UPX-VER UPX0/00 , /00UPX/21/0c/09
DESCRIPTION=UPX is a compression program that compresses executables in-place: the resulting .exe file is compressed, can be run without being extracted to a seperate file (like a typical self-extracting Zip file would need to be).  There are legitemate reasons to use a binary compressor such as UPX, but the vast majority of UPX-compressed binaries are malware; worms, backdoors, etc are often compressed with UPX to reduce transfer time, and to add a layer of obfuscation to complicate analysis.  This signature triggers on binary headers observed in executables created by UPX versions 1.07 - 1.24; it will only work so long as the header format is not changed.  If this event triggers, it most likely means that systems have already been compromised, and the attackers are uploading rootkits, or a worm is spreading and will soon be replicating from the target machine.  (The exception is if this triggers on inbound TCP port 25 traffic: that means someone is being sent UPX-compressed malware, but does not mean they are infected with it *yet*... on the other hand the sender definitely is!)
URL=http://upx.sourceforge.net/
MODIFIED=Y
DISABLED=N
UPDATED=N

NAME=PHATBOT:P2P
SIGNATURE=T S A B 40 400 A PHATBOT:P2P Wonk/2d , /00/23waste/00
DESCRIPTION=Phatbot is a trojan/backdoor that attempts to spread itself via a number of Windows-based vulnerabilities. Because of this, you may also notice a small spike in some of the more successful Win vulnerabilities such as DCOM, WebDav, DameWare, or the Locator Service (among others).  In addition to all the popular DDoS tool functionalities, the too can also run various protocol redirectors and proxies, in addition to password stealers. This event detects the bot's P2P control connection.  The source machine is infected, and/or the attacker, and the destination machine is infected.  This signature based on a Snort signature posted by Lurhq.
URL=http://www.lurhq.com/phatbot.html
MODIFIED=Y
DISABLED=N

NAME=IE:APPID-OVERFLOW
SIGNATURE=T S A S 40 0 W IE:APPID-OVERFLOW object/2eappid > 255
DESCRIPTION=Internet Explorer allows third-party COM objects to be referenced/invoked by HTML pages.  A number of poorly written COM objects have buffer overruns in several published properties.  Malicious websites can compromise MSIE users by invoking a "trusted" COM object and passing it an oversized parameter, causing it to crash and giving the attacker control of the victim's MSIE process.  ActiveX and other scripting do need to be enabled for this exploit to work.  This alarm indicates that tags have been returned from a web server which contain oversized strings invoking the 'object.AppId' property.  It may be a false positive, but it is unlikely such a large string would be legitemate.
EVENTGROUP=ATTACKS
URL=http://marc.theaimsgroup.com/?l=full-disclosure&m=108263085315643&w=2
MODIFIED=Y
DISABLED=N

NAME=IE:DESKTOPICON-OVERFLOW
SIGNATURE=T S A S 40 0 W IE:DESKTOPICON-OVERFLOW object/2edesktopicon > 255
DESCRIPTION=Internet Explorer allows third-party COM objects to be referenced/invoked by HTML pages.  A number of poorly written COM objects have buffer overruns in several published properties.  Malicious websites can compromise MSIE users by invoking a "trusted" COM object and passing it an oversized parameter, causing it to crash and giving the attacker control of the victim's MSIE process.  ActiveX and other scripting do need to be enabled for this exploit to work.  This alarm indicates that tags have been returned from a web server which contain oversized strings invoking the 'object.DesktopIcon' property.  It may be a false positive, but it is unlikely such a large string would be legitemate.
EVENTGROUP=ATTACKS
URL=http://marc.theaimsgroup.com/?l=full-disclosure&m=108263085315643&w=2
MODIFIED=Y
DISABLED=N

NAME=IE:TEST-OVERFLOW
SIGNATURE=T S A S 40 0 W IE:TEST-OVERFLOW object/2etest > 255
DESCRIPTION=Internet Explorer allows third-party COM objects to be referenced/invoked by HTML pages.  A number of poorly written COM objects have buffer overruns in several published properties.  Malicious websites can compromise MSIE users by invoking a "trusted" COM object and passing it an oversized parameter, causing it to crash and giving the attacker control of the victim's MSIE process.  ActiveX and other scripting do need to be enabled for this exploit to work.  This alarm indicates that tags have been returned from a web server which contain oversized strings invoking the 'object.Test' property.  It may be a false positive, but it is unlikely such a large string would be legitemate.
EVENTGROUP=ATTACKS
URL=http://marc.theaimsgroup.com/?l=full-disclosure&m=108263085315643&w=2
MODIFIED=Y
DISABLED=N

NAME=IE:START2-OVERFLOW
SIGNATURE=T S A S 40 0 W IE:START2-OVERFLOW object/2estart2 > 255
DESCRIPTION=Internet Explorer allows third-party COM objects to be referenced/invoked by HTML pages.  A number of poorly written COM objects have buffer overruns in several published properties.  Malicious websites can compromise MSIE users by invoking a "trusted" COM object and passing it an oversized parameter, causing it to crash and giving the attacker control of the victim's MSIE process.  ActiveX and other scripting do need to be enabled for this exploit to work.  This alarm indicates that tags have been returned from a web server which contain oversized strings invoking the 'object.Start2' property.  It may be a false positive, but it is unlikely such a large string would be legitemate.
EVENTGROUP=ATTACKS
URL=http://marc.theaimsgroup.com/?l=full-disclosure&m=108263085315643&w=2
MODIFIED=Y
DISABLED=N

NAME=IE:YINSTHELPER
SIGNATURE=T S A S 20 0 W IE:YINSTHELPER set/20object/20/3d/20createobject/28/22yinsthelper/2ey
DESCRIPTION=Internet Explorer allows third-party COM objects to be referenced/invoked by HTML pages.  A number of vulnerabilities have been documented in the yinsthelper.dll installed as part of Yahoo Messenger.  This signature triggers when a web page invokes one of the COM objects provided by this DLL, which may be legitemate, or may be the beginning of an attack.
EVENTGROUP=SUSPICIOUS
URL=http://marc.theaimsgroup.com/?l=full-disclosure&m=108263085315643&w=2
MODIFIED=Y
DISABLED=N

NAME=MACOSX:URI-HANDLER-JR
SIGNATURE=T S T S 50 0 80 MACOSX:URI-HANDLER-JR help/3arunscript
DESCRIPTION=A vulnerability reported on MacOS X where the "help" URI handler allows execution of arbitrary local scripts (.scpt) via the classic directory traversal character sequence using "help:runscript".  Browsers known to be vulnerable on MacOS X are Safari 1.2.1 (v125.1) and Internet Explorer 5.2.  A large number of easy working exploits are known to be in circulation in the wild.  Signature contributed by Jon Repaci.
EVENTGROUP=ATTACKS
DATE_MODIFIED=2004-05-18
URL=http://secunia.com/advisories/11622
URL=http://www.insecure.ws/article.php?story=2004051612423136
MODIFIED=Y
DISABLED=N

NAME=IE:SAVETOFILE
SIGNATURE=T S A S 20 0 W IE:SAVETOFILE SaveToFile/28
DESCRIPTION=Internet Explorer with ActiveX enabled allows various dangerous API calls.  While they sometimes have legitemate uses, they are generally a bad idea and should be disallowed in the browser configuration.  ADO.SaveToFile allows a malicious website to create or overwrite arbitrary files on a victim machine, and is being actively used to install spyware, backdoors, trojans, etc on victim machines.  The user need only browse a website with malicious active script content, and they will be remotely compromised.
EVENTGROUP=COMP
URL=https://marc.theaimsgroup.com/?t=108119015600002&r=1&w=2
MODIFIED=Y
DISABLED=N

NAME=IE:TROJAN-ILOOKUP
SIGNATURE=T S A S 200 0 W IE:TROJAN-ILOOKUP url/3Ams-its/3Ac/3A
DESCRIPTION=iLookup Trojan Exploit - Identified through the use of the URL:ms-its:C: string.  The related vulnerabilities should be patched by MS04-013.  Contributed by Pete Schuyler.
CVE=CAN-2004-0549
URL=www.us-cert.gov/cas/techalerts/TA04-163A.html
MODIFIED=Y
DISABLED=N

NAME=IE:MS-ITS-CHM-2
SIGNATURE=T S A S 200 0 W IE:MS-ITS-CHM-2 /3cobject/20 , /3amhtml/3afile/3a/2f/2f
DESCRIPTION=ITS Protocol/CHM exploit embedded in a web pages object tag.  This vulnerability can be patched with MS04-013.  Contributed by Pete Schuyler.
CVE=CAN-2004-0380
URL=https://marc.theaimsgroup.com/?t=108731019100005&r=1&w=2
URL=http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx
URL=https://marc.theaimsgroup.com/?l=full-disclosure&m=108697058415392&w=2
MODIFIED=Y
DISABLED=N

NAME=IE:MS-ITS-CHM
SIGNATURE=T S A S 200 0 W IE:MS-ITS-CHM ms-its/3a , /2echm/3a/3a/2f
DESCRIPTION=Generic ITS Protocol/CHM exploit.  The related vulnerabilities should be patched by MS04-013.  Based on contributions by Pete Schuyler.
EVENTGROUP=COMP
CVE=CAN-2004-0549
CVE=CAN-2004-0380
URL=https://marc.theaimsgroup.com/?t=108731019100005&r=1&w=2
URL=http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx
URL=https://marc.theaimsgroup.com/?l=full-disclosure&m=108697058415392&w=2
MODIFIED=Y
DISABLED=N

NAME=IE:GDI-JPEG-HDR2
SIGNATURE=T S A B 20 0 W IE:GDI-JPEG-HDR2 JFIF , /83/c3/12/c6/03/90/43/3b/d9/75/f8/44/44/44/44/44/44/44/44/44/44/44/44/44/01/15/19/19/20/1c/20/26/18/18/26/36/26/20/26/36/44/36/2b/2b/36 
DESCRIPTION=This signature should detect one of the known exploits for the Microsoft JPEG vulnerability, MS04-28.
MODIFIED=Y
DISABLED=N
UPDATED=N

NAME=IE:EMBED-VULN
SIGNATURE=T S A B 20 0 W IE:EMBED-VULN /3c/00E/00M/00B/00E/00D/00/20/00S/00R/00C/00/3d/00f/00i/00l/00e/00/3a/00/2f/00/2f/00B/00B/00B/00B/00B/00B/00B/00B/00B/00B > 200
DESCRIPTION=This signature should detect one of the known exploits for a new, unpatched Microsoft IE EMBED/FRAME/IFRAME vulnerability.  Based on a signature by Mike Iglesias.
MODIFIED=Y
DISABLED=N
UPDATED=N

NAME=IE:FRAME-VULN
SIGNATURE=T S A B 20 0 W IE:FRAME-VULN /3c/00F/00R/00A/00M/00E/00/20/00S/00R/00C/00/3d/00f/00i/00l/00e/00/3a/00/2f/00/2f/00B/00B/00B/00B/00B/00B/00B/00B/00B/00B > 200
DESCRIPTION=This signature should detect one of the known exploits for a new, unpatched Microsoft IE EMBED/FRAME/IFRAME vulnerability.  Based on a signature by Mike Iglesias.
MODIFIED=Y
DISABLED=N
UPDATED=N

NAME=CLIENT:HTML-DATA-IMG
SIGNATURE=T S A S 50 0 W CLIENT:HTML-DATA-IMG src=/22data/3aimage/2f
DESCRIPTION=Several browsers support binary data encoded inline in an HTML page, a questionable practice allowed for in RFC 2397.  This is hardly ever used by legitemate websites; it is almost always an attempt to bypass content filters, virus filters, etc.  This signature triggers when images are embedded inline; the sending website is likely malicious, and the receiving client should be checked for a malware infection.
MODIFIED=Y
DISABLED=N
UPDATED=N

NAME=CLIENT:HTML-DATA-APP
SIGNATURE=T S A S 50 0 W CLIENT:HTML-DATA-APP src=/22data/3aapplication/2f
DESCRIPTION=Several browsers support binary data encoded inline in an HTML page, a questionable practice allowed for in RFC 2397.  This is hardly ever used by legitemate websites; it is almost always an attempt to bypass content filters, virus filters, etc.  This signature triggers when applications are embedded inline; the sending website is almost definitely malicious, and the receiving client should be checked for a malware infection.
MODIFIED=Y
DISABLED=N
UPDATED=N

NAME=IE:CURSOR-ANI
SIGNATURE=T S A S 50 0 W IE:CURSOR-ANI cursor/3aurl/28
DESCRIPTION=MS Internet Explorer has a buffer overrun in its handling of animated cursors, .ANI files.  This can be exploited in any tool that uses IE to render HTML (including Outlook, Word, Excel, etc).  This signature detects any web page which specifies an alternate cursor image.  This does *not* mean that there has necessarily been an attack--this signature will trigger on legitemate uses of animated cursors as well.  It will be necessary to review the contents of the TCP session and evaluate the data being referenced as the alternate cursor.
MODIFIED=Y
DISABLED=N
UPDATED=N

NAME=IE:CURSOR-ANI2
SIGNATURE=T S A S 50 0 W IE:CURSOR-ANI2 cursor/3a/20url/28
DESCRIPTION=MS Internet Explorer has a buffer overrun in its handling of animated cursors, .ANI files.  This can be exploited in any tool that uses IE to render HTML (including Outlook, Word, Excel, etc).  This signature detects any web page which specifies an alternate cursor image.  This does *not* mean that there has necessarily been an attack--this signature will trigger on legitemate uses of animated cursors as well.  It will be necessary to review the contents of the TCP session and evaluate the data being referenced as the alternate cursor.
MODIFIED=Y
DISABLED=N
UPDATED=N