$Id: RULES.todo,v 1.13 2002/11/24 21:47:22 cazz Exp $

RULES todo

- BUGTRAQ 1199.  Old sig was sid:876, which doesn't actually catch exploit 
  attempts.  

- review sid:973.  where did this come from?  is it really bid 1448?

- uh, sid:1044.  What are we really looking for?

- sid:1143, 1144.  what the hell does /// do?  

- sid:1147 - cat%20.  can it be done via post?

- sid:1231 - doesnt seem to be bid:2808.  Whats this actually from?

- PGPMail.pl vulnerablity
  Message-Id: <0111291925580K.19881@ks40.eastnet.gatech.edu> sent to vuln-dev

- sid:1377,1378 - add reference:cve,CAN-2001-0550

- write sig for http://www.tempest.com.br/advisories/01-2001.html

- bitchslap securiteam for resending other people's alerts without passing 
  on any of the useful information.  

- write sig for AOL 3.3 and prior AUTH Basic overflow

- check on sid:895's group.  web-coldfusion instead of web-cgi?  
  (Pointed out by Justin Mitzimberg <JMitzimberg@bco.com>)

- rewrite the zillion of deepthroat 3.1 sigs and try and bring the count down 
  to oh, say... 2

- sid:340,341  What vulnerabilities are these?

- sid:349.  It seems to suck badly.  How about 
  content:"MKD "; offset:0; depth:4; dsize:>50;

- sid:1229.  Where does "CWD ..." come from? -- warez kiddies (cmg)

- BID 3744.  PHPFileExchange, Find the exploit, write a sig 

- BID 3988.  NetJuke.  find exploit, write a sig

- need FTP PORT bouncing signature

-- did the QT stuiff

- CAN-2000-1176

- PIMP http://cvs.nessus.org/cgi-bin/cvsweb.cgi/~checkout~/nessus-plugins/scripts/pimp.nasl
- SMB reg key smb_reg_ras_access.nasl

- axent_raptor_dos.nasl

- DNS ZXFR  sig

- finished nessus sigs up to bonk.nasl, start with that and finish the rest
- DCE sigs
- verify dtspcd.nasl

- convert all application ports to $APPNAME_PORTS if it makes sense for that
  application


- sid:1913,1914,1915,1916 
  the content match detection stuff needs revisiting because we
  can't add the checks for format string checks within the mon_name buffer.
  The rule SHOULD look like the following if everything was working properly:

  alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC STATD UDP stat \
  mon_name format string exploit attempt"; content:"|00 01 86 B8|";       \
  content:"|00 00 00 01|"; distance:4; within:4;                          \
  byte_jump:4,12,relative,align; byte_test:4,>,100,20,relative;           \
  content:"|25|"; distance:24; within:95; content:"|25|"; distance:1;     \
  within:5; reference:cve,CVE-2000-0666; reference:bugtraq,1480;)

  alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC STATD TCP stat \
  mon_name format string exploit attempt"; flow:to_server,established;    \
  content:"|00 01 86 B8|"; content:"|00 00 00 01|"; distance:4; within:4; \
  byte_jump:4,12,relative,align; byte_test:4,>,100,20,relative;           \
  content:"|25|"; distance:24; within:95; content:"|25|"; distance:1;     \
  within:5; reference:cve,CVE-2000-0666; reference:bugtraq,1480;)

  alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC STATD UDP      \
  monitor mon_name format string exploit attempt";                        \
  content:"|00 01 86 B8|"; content:"|00 00 00 02|"; distance:4; within:4; \
  byte_jump:4,12,relative,align; byte_test:4,>,100,20,relative;           \
  content:"|25|"; distance:20; within:95; content:"|25|"; distance:1;     \
  within:5; reference:cve,CVE-2000-0666; reference:bugtraq,1480;)

  alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC STATD TCP      \
  monitor mon_name format string exploit attempt";                        \
  flow:to_server,established; content:"|00 01 86 B8|";                    \
  content:"|00 00 00 02|"; distance:4; within:4;                          \
  byte_test:4,>,100,16,relative; content:"|25|"; distance:16; within:96;  \
  content:"|25|"; distance:1; within:5; reference:cve,CVE-2000-0666;      \
  reference:bugtraq,1480;)


  alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC ypupdate udp \
  command execution attempt"; content:"|01 86 BC|";                     \
  content:"|00 00 00 01|"; distance:4; within:4;                        \
  byte_jump:4,12,relative,align; byte_jump:4,16,relative,align;         \ 
  content:"\|"; distance:16; within:32; reference:cve,CVE-1999-0208;    \ 
  classtype:attempted-admin;)

- write rule that looks for exploit of sid:306