|
|
|
alert udp any any -> any 500 (msg:"IKEv1 UDP 500 Main Mode 01 10 02 00 00 00 00 00";content:"|01 10 02 00 00 00 00 00|"; classtype:protocol-command-decode; sid:500060; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)
|
|
alert udp any any -> any 500 (msg:"IKEv1 UDP 500 Quick Mode 08 10 20 01";content:"|08 10 20 01|"; classtype:protocol-command-decode; sid:500061; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)
|
|
alert udp any any -> any 500 (msg:"IKEv1 UDP 500 Aggressive Mode 01 10 04 00 00 00 00 00";content:"|01 10 04 00 00 00 00 00|"; classtype:protocol-command-decode; sid:500062; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)
|
|
|
|
alert ikev2 any any -> any any (msg:"IKEv2 IKE_SA_INIT Responder 21 20 22 20";content:"|21 20 22 20|"; classtype:protocol-command-decode; sid:500072; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)
|
|
alert ikev2 any any -> any any (msg:"IKEv2 IKE_SA_INIT Initiator 28 20 22 08 Next Payload: Nonce";content:"|28 20 22 08|"; classtype:protocol-command-decode; sid:500073; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)
|
|
alert ikev2 any any -> any any (msg:"IKEv2 CREATE_CHILD_SA Responder 2E 20 24 20";content:"|2E 20 24 20|"; classtype:protocol-command-decode; sid:500074; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)
|
|
alert ikev2 any any -> any any (msg:"IKEv2 CREATE_CHILD_SA Initiator 2E 20 24 08";content:"|2E 20 24 08|"; classtype:protocol-command-decode; sid:500075; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)
|
|
alert ikev2 any any -> any any (msg:"IKEv2 IKE_AUTH Responder 2E 20 23 20";content:"|2E 20 23 20|"; classtype:protocol-command-decode; sid:500076; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)
|
|
alert ikev2 any any -> any any (msg:"IKEv2 IKE_AUTH Initiator 2E 20 23 08";content:"|2E 20 23 08|"; classtype:protocol-command-decode; sid:500077; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)
|
|
|
|
alert udp any any -> any 500 (msg:"IKEv2 UDP IKE_AUTH Responder 2E 20 23 20";content:"|2E 20 23 20|"; classtype:protocol-command-decode; sid:500078; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)
|
|
alert udp any any -> any 500 (msg:"IKEv2 UDP IKE_AUTH Initiator 2E 20 23 08";content:"|2E 20 23 08|"; classtype:protocol-command-decode; sid:500080; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)
|
|
|
|
alert udp any any -> any 500 (msg:"UDP 500 IKEv2 IKE_SA_INIT Responder 21 20 22 20";content:"|21 20 22 20|"; classtype:protocol-command-decode; sid:500090; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)
|
|
alert udp any any -> any 500 (msg:"UDP 500 IKEv2 IKE_SA_INIT Initiator 28 20 22 08 Next Payload: Nonce";content:"|28 20 22 08|"; classtype:protocol-command-decode; sid:500091; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)
|
|
|
|
alert udp any any -> any 4500 (msg:"UDP 4500 IKEv2 IKE_SA_INIT Responder 21 20 22 20";content:"|21 20 22 20|"; classtype:protocol-command-decode; sid:500092; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)
|
|
alert udp any any -> any 4500 (msg:"UDP 4500 IKEv2 IKE_SA_INIT Initiator 28 20 22 08 Next Payload: Nonce";content:"|28 20 22 08|"; classtype:protocol-command-decode; sid:500093; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)
|
|
|
|
alert ikev2 any any -> any any (msg:"IKEv2 IKE_SA_INIT Initiator 21 20 22 08 Next Payload: SA";content:"|21 20 22 08|"; classtype:protocol-command-decode; sid:500083; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)
|
|
|
|
alert ikev2 any any -> any any (msg:"IKEv2 CREATE_CHILD_SA Responder Request 2E 20 24 00";content:"|2E 20 24 00|"; classtype:protocol-command-decode; sid:500084; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)
|
|
alert ikev2 any any -> any any (msg:"IKEv2 CREATE_CHILD_SA Initiator Response 2E 20 24 28";content:"|2E 20 24 28|"; classtype:protocol-command-decode; sid:500085; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)
|
|
|
|
alert ikev2 any any -> any any (msg:"IKEv2 IKE_SA_INIT XXX 20 22";content:"|20 22|"; classtype:protocol-command-decode; sid:500052; rev:1;)
|
|
alert ikev2 any any -> any any (msg:"IKEv2 IKE_AUTH XXX 2E 20 23";content:"|2E 20 23|"; classtype:protocol-command-decode; sid:500053; rev:1;)
|
|
alert ikev2 any any -> any any (msg:"IKEv2 IKE_CREATE_CHILD_SA XXX 2E 20 24";content:"|2E 20 24|"; classtype:protocol-command-decode; sid:500054; rev:1;)
|
|
|
|
|
|
alert udp any any -> $HOME_NET 500 (msg:"GPL POLICY IPSec PGPNet connection attempt"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; classtype:protocol-command-decode; sid:500005; rev:7; metadata:created_at 2010_09_23, updated_at 2019_01_26;)
|
|
|
|
alert udp any any -> any 500 (msg:"GPL ATTACK_RESPONSE isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; classtype:misc-activity; sid:500007; rev:3; metadata:created_at 2010_09_23, updated_at 2019_01_31;)
|
|
alert udp any any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:500008; rev:4; metadata:created_at 2010_09_23, updated_at 2019_01_31;)
|
|
alert udp any any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:500009; rev:4; metadata:created_at 2010_09_23, updated_at 2019_01_31;)
|
|
alert udp any any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:500010; rev:7; metadata:created_at 2010_09_23, updated_at 2019_01_31;)
|
|
alert udp any any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:500011; rev:11; metadata:created_at 2010_09_23, updated_at 2019_01_31;)
|
|
alert udp any any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:500012; rev:10; metadata:created_at 2010_09_23, updated_at 2019_01_31;)
|
|
alert udp any any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:500013; rev:10; metadata:created_at 2010_09_23, updated_at 2019_01_31;)
|
|
alert udp any any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:500014; rev:6; metadata:created_at 2010_09_23, updated_at 2019_01_31;)
|
|
alert udp any any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:500015; rev:5; metadata:created_at 2010_09_23, updated_at 2019_01_31;)
|
|
|