# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id: sql.rules,v 1.13.2.2 2003/03/04 21:47:57 cazz Exp $
#----------
# SQL RULES
#----------

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_start_job - program execution"; content: "s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; nocase; flow:to_server,established; offset: 32; depth: 32; classtype:attempted-user; sid:676; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_password password change"; content: "s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; flow:to_server,established; classtype:attempted-user; sid:677; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_delete_alert log file deletion"; content: "s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; nocase; flow:to_server,established; classtype:attempted-user; sid:678; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_adduser database user creation"; content: "s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase; flow:to_server,established; offset:32; depth:32; classtype:attempted-user; sid:679; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_enumresultset possible buffer overflow"; content: "x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; flow:to_server,established; offset:32; reference:bugtraq,2031; reference:cve,CAN-2000-1082; classtype:attempted-user; sid:708; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB raiserror possible buffer overflow"; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; nocase; flow:to_server,established; offset: 32; reference:bugtraq,3733; classtype:attempted-user; sid:1386; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_displayparamstmt possible buffer overflow"; content: "x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; nocase; flow:to_server,established; offset:32; reference:bugtraq,2030; reference:cve,CAN-2000-1081; classtype:attempted-user; sid:702; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_setsqlsecurity possible buffer overflow"; content: "x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; nocase; flow:to_server,established; offset:32; classtype:attempted-user; reference:bugtraq,2043; sid:703; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_cmdshell program execution"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flow:to_server,established; offset:32; classtype:attempted-user; sid:681; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_reg* registry access"; content: "x|00|p|00|_|00|r|00|e|00|g|00|"; nocase; flow:to_server,established; offset:32; depth:32; classtype:attempted-user; sid:689; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_printstatements possible buffer overflow"; content: "x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; flow:to_server,established; offset:32; reference:bugtraq,2041; reference:cve,CAN-2000-1086; classtype:attempted-user; sid:690; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB shellcode attempt"; content: "|3920d0009201c200520055003920ec00|"; flow:to_server,established; classtype:shellcode-detect; sid:692; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB shellcode attempt"; content: "|4800250078007700900090009000900090003300c000500068002e00|"; flow:to_server,established; classtype:attempted-user; sid:694; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_sprintf possible buffer overflow"; content: "x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase; flow:to_server,established; offset: 32; reference:bugtraq,1204; classtype:attempted-user; sid:695; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_showcolv possible buffer overflow"; content: "x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; flow:to_server,established; offset:32; reference:bugtraq,2038; classtype:attempted-user; sid:696; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_peekqueue possible buffer overflow"; content: "x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; flow:to_server,established; offset:32; reference:bugtraq,2040; reference:cve,CAN-2000-1085; classtype:attempted-user; sid:697; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_proxiedmetadata possible buffer overflow"; content: "x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; flow:to_server,established; offset:32; reference:bugtraq,2042; reference:cve,CAN-2000-1087; classtype:attempted-user; sid:698; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_updatecolvbm possible buffer overflow"; content: "x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; flow:to_server,established; offset:32; reference:bugtraq,2039; reference:cve,CAN-2000-1084; classtype:attempted-user; sid:700; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_start_job - program execution"; content: "s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; nocase; flow:to_server,established; classtype:attempted-user; sid:673; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_displayparamstmt possible buffer overflow"; content: "x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t"; nocase; flow:to_server,established; reference:bugtraq,2030; reference:cve,CAN-2000-1081; classtype:attempted-user; sid:674; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_setsqlsecurity possible buffer overflow"; content: "x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; nocase; flow:to_server,established; reference:bugtraq,2043; classtype:attempted-user; sid:675; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_enumresultset possible buffer overflow"; content: "x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; flow:to_server,established; classtype:attempted-user; sid:682; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_password - password change"; content: "s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; flow:to_server,established; classtype:attempted-user; sid:683; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_delete_alert log file deletion"; content: "s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|"; nocase; flow:to_server,established; classtype:attempted-user; sid:684; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_adduser - database user creation"; content: "s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase; flow:to_server,established; classtype:attempted-user; sid:685; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_reg* - registry access"; content: "x|00|p|00|_|00|r|00|e|00|g|00|"; nocase; flow:to_server,established; classtype:attempted-user; sid:686; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_cmdshell - program execution"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flow:to_server,established; classtype:attempted-user; sid:687; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL shellcode attempt"; content: "|3920d0009201c200520055003920ec00|"; flow:to_server,established; classtype:shellcode-detect; sid:691; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL shellcode attempt"; content: "|4800250078007700900090009000900090003300c000500068002e00|"; flow:to_server,established; classtype:shellcode-detect; sid:693; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_printstatements possible buffer overflow"; content: "x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; flow:to_server,established; reference:bugtraq,2041; reference:cve,CAN-2000-1086; classtype:attempted-user; sid:699; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_updatecolvbm possible buffer overflow"; content: "x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; flow:to_server,established; reference:bugtraq,2039; reference:cve,CAN-2000-1084; classtype:attempted-user; sid:701; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_sprintf possible buffer overflow"; content: "x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase; flow:to_server,established; reference:bugtraq,1204; classtype:attempted-user; sid:704; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_showcolv possible buffer overflow"; content: "x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; flow:to_server,established; reference:bugtraq,2038; reference:cve,CAN-2000-1083; classtype:attempted-user; sid:705; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_peekqueue possible buffer overflow"; content: "x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; flow:to_server,established; reference:bugtraq,2040; reference:cve,CAN-2000-1085; classtype:attempted-user; sid:706; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_proxiedmetadata possible buffer overflow"; content: "x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; flow:to_server,established; reference:bugtraq,2024; reference:cve,CAN-2000-1087; classtype:attempted-user; sid:707; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL raiserror possible buffer overflow"; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; nocase; flow:to_server,established; reference:bugtraq,3733; classtype:attempted-user; sid:1387; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"MS-SQL xp_cmdshell program execution (445)"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flow:to_server,established; classtype:attempted-user; sid:1759; rev:2;)
alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa login failed"; content: "Login failed for user |27|sa|27|"; flow:from_server,established; classtype:unsuccessful-user; sid:688; rev:4;)
alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"MS-SQL/SMB sa login failed"; content: "Login failed for user |27|sa|27|"; flow:from_server,established; offset:83; classtype:attempted-user; sid:680; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311; reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)
alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"MS-SQL Worm propagation attempt OUTBOUND"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311; reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2004; rev:1;)