00001 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /inst.php?fff="; flow:to_server,established; http_uri; content:"/inst.php?fff=",nocase; content:"coid=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16924.html; classtype:trojan-activity; sid:16924; rev:5; service:http; )
00001 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /inst.php?fff="; flow:to_server,established; http_uri; content:"/inst.php?fff=",nocase; content:"coid=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.snort.org/docs/16924.html; classtype:trojan-activity; sid:16924; rev:5; service:http; )
00002 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent ErrCode - W32/Fujacks.htm"; flow:established,to_server; http_header; content:"User-Agent|3A| ErrCode"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=141161; reference:url,www.virustotal.com/latest-report.html?resource=f9dc0803ea4634256eae73b2db61a3c5; classtype:trojan-activity; sid:18247; rev:5; service:http; )
00002 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent ErrCode - W32/Fujacks.htm"; flow:established,to_server; http_header; content:"User-Agent|3A| ErrCode"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=141161; reference:url,www.virustotal.com/latest-report.html?resource=f9dc0803ea4634256eae73b2db61a3c5; classtype:trojan-activity; sid:18247; rev:5; service:http; )
00003 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent wget 3.0"; flow:to_server,established; http_header; content:"User-Agent|3A 20|wget|20 33 2E 30 0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=a860efad636dba6ee1d270a1238a559c; classtype:trojan-activity; sid:19175; rev:3; service:http; )
00003 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent wget 3.0"; flow:to_server,established; http_header; content:"User-Agent|3A 20|wget|20 33 2E 30 0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=a860efad636dba6ee1d270a1238a559c; classtype:trojan-activity; sid:19175; rev:3; service:http; )
00004 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string STORMDDOS - Backdoor.Win32.Inject.ctt"; flow:to_server,established; http_header; content:"User-Agent|3A 20|STORMDDOS"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=eb85f7ec383b4e76046cfbddd183d592; classtype:trojan-activity; sid:19480; rev:4; service:http; )
00004 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string STORMDDOS - Backdoor.Win32.Inject.ctt"; flow:to_server,established; http_header; content:"User-Agent|3A 20|STORMDDOS"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=eb85f7ec383b4e76046cfbddd183d592; classtype:trojan-activity; sid:19480; rev:4; service:http; )
00005 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string ErrorFix"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Error|20|Fix"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=f93aae75c25ae232a68f13e3b579f2ea; classtype:trojan-activity; sid:19482; rev:4; service:http; )
00005 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string ErrorFix"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Error|20|Fix"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=f93aae75c25ae232a68f13e3b579f2ea; classtype:trojan-activity; sid:19482; rev:4; service:http; )
00006 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious uri config.ini on 3322.org domain"; flow:to_server,established; http_uri; content:"/config.ini"; http_header; content:"3322|2E|org"; metadata:impact_flag red,policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f72abdad67d82e60386896efdbf84f2f7b560b54c161fb56033224882c51c220-1306543267; classtype:trojan-activity; sid:19493; rev:2; service:http; )
00006 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious uri config.ini on 3322.org domain"; flow:to_server,established; http_uri; content:"/config.ini"; http_header; content:"3322|2E|org"; metadata:impact_flag red,policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f72abdad67d82e60386896efdbf84f2f7b560b54c161fb56033224882c51c220-1306543267; classtype:trojan-activity; sid:19493; rev:2; service:http; )
00007 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent string MacProtector"; flow:to_server,established; http_header; content:"User-Agent|3A 20|MacProtector"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,virustotal.com/file-scan/report.html?id=22c3ded47d1903c101efefaba219e13542a4d2c463004fc6058f00eba2293466-1304566748; classtype:trojan-activity; sid:19589; rev:2; service:http; )
00007 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent string MacProtector"; flow:to_server,established; http_header; content:"User-Agent|3A 20|MacProtector"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,virustotal.com/file-scan/report.html?id=22c3ded47d1903c101efefaba219e13542a4d2c463004fc6058f00eba2293466-1304566748; classtype:trojan-activity; sid:19589; rev:2; service:http; )
00008 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - pte.aspx?ver="; flow:established,to_server; http_uri; content:"/pte.aspx?ver=",nocase; content:"&rnd=",nocase; pcre:"/\/pte\.aspx\?ver=\d\.\d\.\d+\.\d\x26rnd=\d{5}/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=3e280159c7c84dd2fa1d93687c355faf4a4ca643f12b4921283104915b341bfc-1311850130; classtype:trojan-activity; sid:19622; rev:1; service:http; )
00008 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - pte.aspx?ver="; flow:established,to_server; http_uri; content:"/pte.aspx?ver=",nocase; content:"&rnd=",nocase; pcre:"/\/pte\.aspx\?ver=\d\.\d\.\d+\.\d\x26rnd=\d{5}/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=3e280159c7c84dd2fa1d93687c355faf4a4ca643f12b4921283104915b341bfc-1311850130; classtype:trojan-activity; sid:19622; rev:1; service:http; )
00009 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - vic.aspx?ver="; flow:established,to_server; http_uri; content:"/vic.aspx?ver=",nocase; content:"&rnd=",nocase; pcre:"/\/vic\.aspx\?ver=\d\.\d\.\d+\.\d\x26rnd=\d{5}/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=3e280159c7c84dd2fa1d93687c355faf4a4ca643f12b4921283104915b341bfc-1311850130; classtype:trojan-activity; sid:19623; rev:1; service:http; )
00009 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - vic.aspx?ver="; flow:established,to_server; http_uri; content:"/vic.aspx?ver=",nocase; content:"&rnd=",nocase; pcre:"/\/vic\.aspx\?ver=\d\.\d\.\d+\.\d\x26rnd=\d{5}/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=3e280159c7c84dd2fa1d93687c355faf4a4ca643f12b4921283104915b341bfc-1311850130; classtype:trojan-activity; sid:19623; rev:1; service:http; )
00010 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - .sys.php?getexe="; flow:established,to_server; http_uri; content:".sys.php?getexe=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=ba84f21b6f1879c2d6ce7c600cfb077cee4a172c8e0711e4ce67b32d1b315e82-1310972138; classtype:trojan-activity; sid:19625; rev:1; service:http; )
00010 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - .sys.php?getexe="; flow:established,to_server; http_uri; content:".sys.php?getexe=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=ba84f21b6f1879c2d6ce7c600cfb077cee4a172c8e0711e4ce67b32d1b315e82-1310972138; classtype:trojan-activity; sid:19625; rev:1; service:http; )
00011 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /setup_b.asp?prj="; flow:established,to_server; http_uri; content:"/setup_b.asp?prj=",nocase; content:"&pid=",nocase; content:"&mac=",nocase; pcre:"/\/setup_b\.asp\?prj=\d\x26pid=[^\r\n]*\x26mac=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f99c0b916ad6fea6888fb5029bbf9b7807d0879298efd896298e54f273234cbe-1311680767; classtype:trojan-activity; sid:19626; rev:2; service:http; )
00011 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /setup_b.asp?prj="; flow:established,to_server; http_uri; content:"/setup_b.asp?prj=",nocase; content:"&pid=",nocase; content:"&mac=",nocase; pcre:"/\/setup_b\.asp\?prj=\d\x26pid=[^\r\n]*\x26mac=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f99c0b916ad6fea6888fb5029bbf9b7807d0879298efd896298e54f273234cbe-1311680767; classtype:trojan-activity; sid:19626; rev:2; service:http; )
00012 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /r_autoidcnt.asp?mer_seq="; flow:established,to_server; http_uri; content:"/r_autoidcnt.asp?mer_seq=",nocase; content:"&mac=",nocase; pcre:"/\/r_autoidcnt\.asp\?mer_seq=\d[^\r\n]*\x26mac=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=d8f85e320f2841da5319582ea1020f12e622def611728e5eb076477e3f0aa3b2-1311733307; classtype:trojan-activity; sid:19627; rev:2; service:http; )
00012 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /r_autoidcnt.asp?mer_seq="; flow:established,to_server; http_uri; content:"/r_autoidcnt.asp?mer_seq=",nocase; content:"&mac=",nocase; pcre:"/\/r_autoidcnt\.asp\?mer_seq=\d[^\r\n]*\x26mac=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=d8f85e320f2841da5319582ea1020f12e622def611728e5eb076477e3f0aa3b2-1311733307; classtype:trojan-activity; sid:19627; rev:2; service:http; )
00013 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /1cup/script.php"; flow:established,to_server; http_uri; content:"/1cup/script.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=93ae95010d79fbd56f59ee74db5758d2bef5cde451bbbfa7be80fee5023632b5-1310268536; classtype:trojan-activity; sid:19628; rev:1; service:http; )
00013 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /1cup/script.php"; flow:established,to_server; http_uri; content:"/1cup/script.php",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=93ae95010d79fbd56f59ee74db5758d2bef5cde451bbbfa7be80fee5023632b5-1310268536; classtype:trojan-activity; sid:19628; rev:1; service:http; )
00014 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - AnSSip="; flow:established,to_server; http_uri; content:"|26|AnSSip=",nocase; pcre:"/\/\?id=\d+\x26AnSSip=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=dd947d749f836851d8878b5d31dacb54110b4c4cafd7ebe8421dbe911a83d358-1309594430; classtype:trojan-activity; sid:19631; rev:1; service:http; )
00014 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - AnSSip="; flow:established,to_server; http_uri; content:"|26|AnSSip=",nocase; pcre:"/\/\?id=\d+\x26AnSSip=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=dd947d749f836851d8878b5d31dacb54110b4c4cafd7ebe8421dbe911a83d358-1309594430; classtype:trojan-activity; sid:19631; rev:1; service:http; )
00015 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /VertexNet/adduser.php?uid="; flow:established,to_server; http_uri; content:"/VertexNet/adduser.php?uid=|7B|",nocase; content:"cmpname=",nocase; pcre:"/\/VertexNet\/adduser\.php\?uid=\x7B[^\r\n]+\x7D\x26la[^\r\n]+\x26cmpname=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=0fa0ea73215d09048cb0245bd2c8e56135c86068e78332c482a1afc862688bb8-1311841310; classtype:trojan-activity; sid:19632; rev:1; service:http; )
00015 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /VertexNet/adduser.php?uid="; flow:established,to_server; http_uri; content:"/VertexNet/adduser.php?uid=|7B|",nocase; content:"cmpname=",nocase; pcre:"/\/VertexNet\/adduser\.php\?uid=\x7B[^\r\n]+\x7D\x26la[^\r\n]+\x26cmpname=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=0fa0ea73215d09048cb0245bd2c8e56135c86068e78332c482a1afc862688bb8-1311841310; classtype:trojan-activity; sid:19632; rev:1; service:http; )
00016 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /VertexNet/tasks.php?uid="; flow:established,to_server; http_uri; content:"/VertexNet/tasks.php?uid=|7B|",nocase; content:"cmpname=",nocase; pcre:"/\/VertexNet\/tasks\.php\?uid=\x7B[^\r\n]+\x7D\x26la[^\r\n]+\x26cmpname=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=0fa0ea73215d09048cb0245bd2c8e56135c86068e78332c482a1afc862688bb8-1311841310; classtype:trojan-activity; sid:19633; rev:1; service:http; )
00016 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /VertexNet/tasks.php?uid="; flow:established,to_server; http_uri; content:"/VertexNet/tasks.php?uid=|7B|",nocase; content:"cmpname=",nocase; pcre:"/\/VertexNet\/tasks\.php\?uid=\x7B[^\r\n]+\x7D\x26la[^\r\n]+\x26cmpname=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=0fa0ea73215d09048cb0245bd2c8e56135c86068e78332c482a1afc862688bb8-1311841310; classtype:trojan-activity; sid:19633; rev:1; service:http; )
00017 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /app/?prj="; flow:established,to_server; http_uri; content:"/app/?prj=",nocase; content:"&pid=",nocase; content:"&mac=",nocase; pcre:"/\/app\/\?prj=\d\x26pid=[^\r\n]+\x26mac=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=444383f00dfb73927bf8835d6c847aa2eba24fe6f0266f397e42fae186d53009-1311274513; classtype:trojan-activity; sid:19635; rev:1; service:http; )
00017 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /app/?prj="; flow:established,to_server; http_uri; content:"/app/?prj=",nocase; content:"&pid=",nocase; content:"&mac=",nocase; pcre:"/\/app\/\?prj=\d\x26pid=[^\r\n]+\x26mac=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=444383f00dfb73927bf8835d6c847aa2eba24fe6f0266f397e42fae186d53009-1311274513; classtype:trojan-activity; sid:19635; rev:1; service:http; )
00018 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /blog/images/3521.jpg?v"; flow:established,to_server; http_uri; content:"/blog/images/3521.jpg?v",nocase; content:"&tq=",nocase; pcre:"/\/blog/images/3521\.jpg\?v\d{2}=\d{2}\x26tq=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=adcf7ecf750059f9645dc9dc807f0d1f84df23f03096e41d018edcad725057b1-1311932651; classtype:trojan-activity; sid:19636; rev:2; service:http; )
00018 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /blog/images/3521.jpg?v"; flow:established,to_server; http_uri; content:"/blog/images/3521.jpg?v",nocase; content:"&tq=",nocase; pcre:"/\/blog/images/3521\.jpg\?v\d{2}=\d{2}\x26tq=/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=adcf7ecf750059f9645dc9dc807f0d1f84df23f03096e41d018edcad725057b1-1311932651; classtype:trojan-activity; sid:19636; rev:2; service:http; )
00019 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /install.asp?mac="; flow:established,to_server; http_uri; content:"/install.asp?mac=",nocase; content:"&mode",nocase; pcre:"/\/install\.asp\?mac=[A-F\d]{12}\x26mode/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f0e9e420544f116948b8dfd3d1ed8d156d323684fa6bd58cc87c0ee49320a21c-1311748537; classtype:trojan-activity; sid:19637; rev:2; service:http; )
00019 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /install.asp?mac="; flow:established,to_server; http_uri; content:"/install.asp?mac=",nocase; content:"&mode",nocase; pcre:"/\/install\.asp\?mac=[A-F\d]{12}\x26mode/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=f0e9e420544f116948b8dfd3d1ed8d156d323684fa6bd58cc87c0ee49320a21c-1311748537; classtype:trojan-activity; sid:19637; rev:2; service:http; )
00020 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /kx4.txt"; flow:established,to_server; http_uri; content:"/kx4.txt",depth 8,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=1fba1aab5d68fea2d2f0386c63b108d389c2b93d0fbc08ff6071497bb7fb6e1d-1311866840; classtype:trojan-activity; sid:19638; rev:1; service:http; )
00020 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /kx4.txt"; flow:established,to_server; http_uri; content:"/kx4.txt",depth 8,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=1fba1aab5d68fea2d2f0386c63b108d389c2b93d0fbc08ff6071497bb7fb6e1d-1311866840; classtype:trojan-activity; sid:19638; rev:1; service:http; )
00021 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Opera/8.89 - P2P-Worm.Win32.Palevo.ddm"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Opera|2F|8|2E|89"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=bc58e841f8a43072da7b3c7647828cb8; classtype:trojan-activity; sid:19756; rev:3; service:http; )
00021 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Opera/8.89 - P2P-Worm.Win32.Palevo.ddm"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Opera|2F|8|2E|89"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=bc58e841f8a43072da7b3c7647828cb8; classtype:trojan-activity; sid:19756; rev:3; service:http; )
00022 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /games/java_trust.php?f="; flow:established,to_server; http_uri; content:"/games/java_trust.php?f="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blogs.paretologic.com/malwarediaries/index.php/tag/zeus-bot-canada/; classtype:trojan-activity; sid:19778; rev:2; service:http; )
00022 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /games/java_trust.php?f="; flow:established,to_server; http_uri; content:"/games/java_trust.php?f="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,blogs.paretologic.com/malwarediaries/index.php/tag/zeus-bot-canada/; classtype:trojan-activity; sid:19778; rev:2; service:http; )
00023 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /160.rar - Win32/Morto.A"; flow:to_server,established; http_uri; content:"/160.rar",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.f-secure.com/weblog/archives/00002227.html; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A; classtype:trojan-activity; sid:19882; rev:2; service:http; )
00023 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - /160.rar - Win32/Morto.A"; flow:to_server,established; http_uri; content:"/160.rar",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.f-secure.com/weblog/archives/00002227.html; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A; classtype:trojan-activity; sid:19882; rev:2; service:http; )
00024 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - optima/index.php"; flow:to_server,established; http_uri; content:"/optima/index.php",nocase; content:"uid=",distance 0,nocase; content:"ver=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=4f9ea5ce70a9a4cc132eb9635e0c5b7e6265ce94be1ff1e9cfd4198dbebd449b-1294138038; classtype:trojan-activity; sid:19913; rev:1; service:http; )
00024 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for known malicious URI - optima/index.php"; flow:to_server,established; http_uri; content:"/optima/index.php",nocase; content:"uid=",distance 0,nocase; content:"ver=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=4f9ea5ce70a9a4cc132eb9635e0c5b7e6265ce94be1ff1e9cfd4198dbebd449b-1294138038; classtype:trojan-activity; sid:19913; rev:1; service:http; )
00025 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent string Baby Remote - Win32/Babmote.A"; flow:to_server,established; http_header; content:"User-Agent|3A| Baby Remote"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=0712178d245f4e5a5d0cf6318bf39144; classtype:trojan-activity; sid:20009; rev:3; service:http; )
00025 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious User-Agent string Baby Remote - Win32/Babmote.A"; flow:to_server,established; http_header; content:"User-Agent|3A| Baby Remote"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=0712178d245f4e5a5d0cf6318bf39144; classtype:trojan-activity; sid:20009; rev:3; service:http; )
00026 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string feranet/0.4 - Win32/Ferabsa.A"; flow:to_server,established; http_header; content:"User-Agent|3A| feranet/0.4|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=93c9b388af56cd66c55630509db05dfd; classtype:trojan-activity; sid:20012; rev:3; service:http; )
00026 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string feranet/0.4 - Win32/Ferabsa.A"; flow:to_server,established; http_header; content:"User-Agent|3A| feranet/0.4|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=93c9b388af56cd66c55630509db05dfd; classtype:trojan-activity; sid:20012; rev:3; service:http; )
00027 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - InfoBot"; flow:to_server,established; http_header; content:"User-Agent|3A| InfoBot|2F|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=0d624da9ec161f78c513cf6b0c85a069b65581cf09ba0a3315e2cac83a89a685-1311198379; classtype:trojan-activity; sid:20104; rev:4; service:http; )
00027 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - InfoBot"; flow:to_server,established; http_header; content:"User-Agent|3A| InfoBot|2F|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=0d624da9ec161f78c513cf6b0c85a069b65581cf09ba0a3315e2cac83a89a685-1311198379; classtype:trojan-activity; sid:20104; rev:4; service:http; )
00028 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - IPHONE"; flow:to_server,established; http_header; content:"User-Agent|3A| IPHONE"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=459c30e9568295b0d9a3e5092734bb7fb6137b9bb8d7cbf5486b62e48e36bd7c-1311220119; classtype:trojan-activity; sid:20105; rev:6; service:http; )
00028 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - IPHONE"; flow:to_server,established; http_header; content:"User-Agent|3A| IPHONE"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=459c30e9568295b0d9a3e5092734bb7fb6137b9bb8d7cbf5486b62e48e36bd7c-1311220119; classtype:trojan-activity; sid:20105; rev:6; service:http; )
00029 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - darkness"; flow:to_server,established; http_header; content:"User-Agent|3A| darkness"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=30ae2284f7d211b8e448f4b011ee554d1303a0ef0163c4b664fe09d168b4441a-1314088474; classtype:trojan-activity; sid:20106; rev:3; service:http; )
00029 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - darkness"; flow:to_server,established; http_header; content:"User-Agent|3A| darkness"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=30ae2284f7d211b8e448f4b011ee554d1303a0ef0163c4b664fe09d168b4441a-1314088474; classtype:trojan-activity; sid:20106; rev:3; service:http; )
00030 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - meterpreter"; flow:to_server,established; http_header; content:"User-Agent|3A| Meterpreter"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:trojan-activity; sid:20201; rev:3; service:http; )
00030 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string - meterpreter"; flow:to_server,established; http_header; content:"User-Agent|3A| Meterpreter"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:trojan-activity; sid:20201; rev:3; service:http; )
00031 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string 0pera 10"; flow:to_server,established; http_header; content:"User-Agent|3A| 0pera 10"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=68c5adbc86aad8332455dcacbe624718d053d9078e99e149d6ecc69085a9e691-1313299701; classtype:trojan-activity; sid:20230; rev:3; service:http; )
00031 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string 0pera 10"; flow:to_server,established; http_header; content:"User-Agent|3A| 0pera 10"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=68c5adbc86aad8332455dcacbe624718d053d9078e99e149d6ecc69085a9e691-1313299701; classtype:trojan-activity; sid:20230; rev:3; service:http; )
00032 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Mozilla//4.0"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozilla//4.0 [compatible"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=56afa16e9c6bb2a379d3cff3787d18fa0a7b5f3c3df712ac9702cad789d7eb29-1316218781; classtype:trojan-activity; sid:20231; rev:3; service:http; )
00032 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Mozilla//4.0"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozilla//4.0 [compatible"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=56afa16e9c6bb2a379d3cff3787d18fa0a7b5f3c3df712ac9702cad789d7eb29-1316218781; classtype:trojan-activity; sid:20231; rev:3; service:http; )
00033 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string MBVDFRESCT"; flow:to_server,established; http_header; content:"User|2D|Agent|3A| MBVDFRESCT"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=61c2dbab2a90512689ac11e724bd8d2923a30780bfb9cac884ba4eb390e8fd40-1315489381; classtype:trojan-activity; sid:20293; rev:4; service:http; )
00033 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string MBVDFRESCT"; flow:to_server,established; http_header; content:"User|2D|Agent|3A| MBVDFRESCT"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=61c2dbab2a90512689ac11e724bd8d2923a30780bfb9cac884ba4eb390e8fd40-1315489381; classtype:trojan-activity; sid:20293; rev:4; service:http; )
00034 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BLACKLIST EMAIL known malicious email string - You have received a Hallmark E-Card"; flow:to_server,established; content:"Subject|3A| You have received a Hallmark E-Card!",nocase; content:!"href=|22|http|3A|//www.hallmark.com/",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file-scan/report.html?id=bd1cfd7b15f70d131d8f3f013a4e6afb0807791b898d96d3cc2b57de576acf1f-1258200619; reference:url,www.virustotal.com/latest-report.html?resource=925a4a25cfa562a0330c8733cc697021; classtype:misc-activity; sid:19595; rev:4; service:smtp; )
00034 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BLACKLIST EMAIL known malicious email string - You have received a Hallmark E-Card"; flow:to_server,established; content:"Subject|3A| You have received a Hallmark E-Card!",nocase; content:!"href=|22|http|3A|//www.hallmark.com/",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,www.virustotal.com/file-scan/report.html?id=bd1cfd7b15f70d131d8f3f013a4e6afb0807791b898d96d3cc2b57de576acf1f-1258200619; reference:url,www.virustotal.com/latest-report.html?resource=925a4a25cfa562a0330c8733cc697021; classtype:misc-activity; sid:19595; rev:4; service:smtp; )
00035 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain prettylikeher.com - Sykipot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|prettylikeher|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:cve,2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; reference:url,labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/; classtype:trojan-activity; sid:21048; rev:6; service:dns; )
00035 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain prettylikeher.com - Sykipot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|prettylikeher|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:cve,2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; reference:url,labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/; classtype:trojan-activity; sid:21048; rev:6; service:dns; )
00036 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain mysundayparty.com - Sykipot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|mysundayparty|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,contagiodump.blogspot.com/2010/10/potential-new-adobe-flash-player-zero.html; classtype:trojan-activity; sid:21049; rev:5; service:dns; )
00036 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain mysundayparty.com - Sykipot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|mysundayparty|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,contagiodump.blogspot.com/2010/10/potential-new-adobe-flash-player-zero.html; classtype:trojan-activity; sid:21049; rev:5; service:dns; )
00037 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Win32 Amti"; flow:to_server,established; http_header; content:"User-Agent|3A| Win32|2F|Amti"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=5c1b20432a465cfc9f830a8507645b757a95aadcb1f0dd74a05b3c76daddeef9-1296059565; classtype:trojan-activity; sid:21175; rev:4; service:http; )
00037 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Win32 Amti"; flow:to_server,established; http_header; content:"User-Agent|3A| Win32|2F|Amti"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=5c1b20432a465cfc9f830a8507645b757a95aadcb1f0dd74a05b3c76daddeef9-1296059565; classtype:trojan-activity; sid:21175; rev:4; service:http; )
00038 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string API Guide test program"; flow:to_server,established; http_header; content:"User|2D|Agent|3A| API|2D|Guide test program"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/97ff0c3329bff100cae187cd91dc761495dc8927ebcc64bc04025134624951f6/analysis/; reference:url,www.virustotal.com/file/cb5df70973c7ccedd7ee76e4dcadc2b8b7abab51b1aa16bcac4dd57df9b99182/analysis/; classtype:trojan-activity; sid:21188; rev:4; service:http; )
00038 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string API Guide test program"; flow:to_server,established; http_header; content:"User|2D|Agent|3A| API|2D|Guide test program"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/97ff0c3329bff100cae187cd91dc761495dc8927ebcc64bc04025134624951f6/analysis/; reference:url,www.virustotal.com/file/cb5df70973c7ccedd7ee76e4dcadc2b8b7abab51b1aa16bcac4dd57df9b99182/analysis/; classtype:trojan-activity; sid:21188; rev:4; service:http; )
00039 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Aldi Bot"; flow:to_server,established; http_header; content:"User-Agent|3A| Aldi Bot"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=7b17e377e2c44bdad10828dffd9da193a08de4512b47e5caae8a654a9406bb98-1315864372; classtype:trojan-activity; sid:21206; rev:3; service:http; )
00039 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Aldi Bot"; flow:to_server,established; http_header; content:"User-Agent|3A| Aldi Bot"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=7b17e377e2c44bdad10828dffd9da193a08de4512b47e5caae8a654a9406bb98-1315864372; classtype:trojan-activity; sid:21206; rev:3; service:http; )
00040 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Flag"; flow:to_server,established; http_header; content:"User-Agent|3A| Flag|3A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=43606116e03672d5c2bca7d072caa573d3fc2463795427d6f5abfa25403bd280-1320677089; classtype:trojan-activity; sid:21225; rev:4; service:http; )
00040 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Flag"; flow:to_server,established; http_header; content:"User-Agent|3A| Flag|3A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=43606116e03672d5c2bca7d072caa573d3fc2463795427d6f5abfa25403bd280-1320677089; classtype:trojan-activity; sid:21225; rev:4; service:http; )
00041 alert tcp $EXTERNAL_NET 21 -> $HOME_NET any ( msg:"BLACKLIST known malicious FTP login banner - 0wns j0"; flow:established,to_client; content:"220|20|",depth 4; content:"0wns j0",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service ftp; reference:url,seclists.org/fulldisclosure/2004/Sep/895; reference:url,www.cyber-ta.org/releases/malware-analysis/public/SOURCES/CLUSTERS-NEW/behavior-summary.html; classtype:trojan-activity; sid:21255; rev:4; service:ftp; )
00041 alert tcp $EXTERNAL_NET 21 -> $HOME_NET any ( msg:"BLACKLIST known malicious FTP login banner - 0wns j0"; flow:established,to_client; content:"220|20|",depth 4; content:"0wns j0",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service ftp; reference:url,seclists.org/fulldisclosure/2004/Sep/895; reference:url,www.cyber-ta.org/releases/malware-analysis/public/SOURCES/CLUSTERS-NEW/behavior-summary.html; classtype:trojan-activity; sid:21255; rev:4; service:ftp; )
00042 alert tcp $EXTERNAL_NET 21 -> $HOME_NET any ( msg:"BLACKLIST known malicious FTP quit banner - Goodbye happy r00ting"; flow:established,to_client; content:"221 Goodbye happy r00ting"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service ftp; reference:url,taosecurity.blogspot.com/2006/01/nepenthes-discoveries-earlier-today-i.html; classtype:trojan-activity; sid:21256; rev:5; service:ftp; )
00042 alert tcp $EXTERNAL_NET 21 -> $HOME_NET any ( msg:"BLACKLIST known malicious FTP quit banner - Goodbye happy r00ting"; flow:established,to_client; content:"221 Goodbye happy r00ting"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service ftp; reference:url,taosecurity.blogspot.com/2006/01/nepenthes-discoveries-earlier-today-i.html; classtype:trojan-activity; sid:21256; rev:5; service:ftp; )
00043 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Google Bot"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Google Bot|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=9b5ea51d036ed45e7665abb280e43459; classtype:trojan-activity; sid:21278; rev:4; service:http; )
00043 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string Google Bot"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Google Bot|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/latest-report.html?resource=9b5ea51d036ed45e7665abb280e43459; classtype:trojan-activity; sid:21278; rev:4; service:http; )
00044 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent ASafaWeb Scan"; flow:to_server,established; http_header; content:"User-Agent|3A| asafaweb.com"; metadata:policy balanced-ips alert,policy security-ips drop,ruleset community,service http; reference:url,asafaweb.com; classtype:network-scan; sid:21327; rev:6; service:http; )
00044 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent ASafaWeb Scan"; flow:to_server,established; http_header; content:"User-Agent|3A| asafaweb.com"; metadata:policy balanced-ips alert,policy security-ips drop,ruleset community,service http; reference:url,asafaweb.com; classtype:network-scan; sid:21327; rev:6; service:http; )
00045 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string psi"; flow:to_server,established; http_header; content:"User-Agent|3A 20|psi|20|v"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b76f804853db8b602393a588385e3c091bfb81b312ca8d7228881fc9d8bdae6e/analysis/1330351984/; classtype:trojan-activity; sid:21455; rev:3; service:http; )
00045 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string psi"; flow:to_server,established; http_header; content:"User-Agent|3A 20|psi|20|v"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/b76f804853db8b602393a588385e3c091bfb81b312ca8d7228881fc9d8bdae6e/analysis/1330351984/; classtype:trojan-activity; sid:21455; rev:3; service:http; )
00046 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string 1234567890"; flow:to_server,established; http_header; content:"User-Agent|3A| 1234567890"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,/www.virustotal.com/file-scan/report.html?id=aead70177d2932a1ddd4556fa6b7eb3f7a136f58d5511e2c391b74c0f6d32a98-1315311757; classtype:trojan-activity; sid:21469; rev:3; service:http; )
00046 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string 1234567890"; flow:to_server,established; http_header; content:"User-Agent|3A| 1234567890"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,/www.virustotal.com/file-scan/report.html?id=aead70177d2932a1ddd4556fa6b7eb3f7a136f58d5511e2c391b74c0f6d32a98-1315311757; classtype:trojan-activity; sid:21469; rev:3; service:http; )
00047 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string core-project"; flow:to_server, established; http_header; content:"User-Agent|3A 20|core-project"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:misc-activity; sid:21475; rev:3; service:http; )
00047 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string core-project"; flow:to_server, established; http_header; content:"User-Agent|3A 20|core-project"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:misc-activity; sid:21475; rev:3; service:http; )
00048 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent YZF"; flow:to_server,established; http_header; content:"User-Agent|3A| YZF|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/92221d283f4d4109b1e8ba139355498cf5b1f444ef8ea181e8ecdc4f68558a97/analysis/; classtype:trojan-activity; sid:21476; rev:2; service:http; )
00048 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent YZF"; flow:to_server,established; http_header; content:"User-Agent|3A| YZF|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/92221d283f4d4109b1e8ba139355498cf5b1f444ef8ea181e8ecdc4f68558a97/analysis/; classtype:trojan-activity; sid:21476; rev:2; service:http; )
00049 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Adware user agent Gamevance tl_v"; flow:to_server,established; http_header; content:"User-Agent|3A| tl_v"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/009b5aba4b00bb618b46987630c23c69b20af29194c3e50a5c6dd2ae04338dd1/analysis/; classtype:trojan-activity; sid:21591; rev:2; service:http; )
00049 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Adware user agent Gamevance tl_v"; flow:to_server,established; http_header; content:"User-Agent|3A| tl_v"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/009b5aba4b00bb618b46987630c23c69b20af29194c3e50a5c6dd2ae04338dd1/analysis/; classtype:trojan-activity; sid:21591; rev:2; service:http; )
00050 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Adware user agent gbot"; flow:to_server,established; http_header; content:"User-Agent|3A| gbot"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/289eb3becfaf41707ff5e5315c6ba0cca3a5b84f5241d596c748eb036a22a889/analysis/; classtype:trojan-activity; sid:21636; rev:2; service:http; )
00050 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Adware user agent gbot"; flow:to_server,established; http_header; content:"User-Agent|3A| gbot"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/289eb3becfaf41707ff5e5315c6ba0cca3a5b84f5241d596c748eb036a22a889/analysis/; classtype:trojan-activity; sid:21636; rev:2; service:http; )
00051 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Adware user agent mus - TDSS related"; flow:to_server,established; http_header; content:"User-Agent|3A| mus"; pcre:"/User-Agent\x3A\s+?mus[\x0d\x0a]/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/dd3979104aea7a45136e51a24fddcda4658d1825e5a4ee65f2e0601d5ddfc971/analysis/; classtype:trojan-activity; sid:21639; rev:2; service:http; )
00051 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Adware user agent mus - TDSS related"; flow:to_server,established; http_header; content:"User-Agent|3A| mus"; pcre:"/User-Agent\x3A\s+?mus[\x0d\x0a]/i"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/dd3979104aea7a45136e51a24fddcda4658d1825e5a4ee65f2e0601d5ddfc971/analysis/; classtype:trojan-activity; sid:21639; rev:2; service:http; )
00052 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent TCYWinHTTPDownload"; flow:to_server,established; http_header; content:"User-Agent|3A| TCYWinHTTPDownload"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3303912ce4dd35cb0fefe2d6fbc75a887c2734d42e5edd622609a2c8bedd0dae/analysis/; classtype:trojan-activity; sid:21526; rev:3; service:http; )
00052 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent TCYWinHTTPDownload"; flow:to_server,established; http_header; content:"User-Agent|3A| TCYWinHTTPDownload"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/3303912ce4dd35cb0fefe2d6fbc75a887c2734d42e5edd622609a2c8bedd0dae/analysis/; classtype:trojan-activity; sid:21526; rev:3; service:http; )
00053 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent BOT/0.1"; flow:to_server,established; http_header; content:"User-Agent|3A| BOT/0.1 |28|BOT for JCE|29|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:21925; rev:2; service:http; )
00053 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent BOT/0.1"; flow:to_server,established; http_header; content:"User-Agent|3A| BOT/0.1 |28|BOT for JCE|29|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:21925; rev:2; service:http; )
00054 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain mac.update.zyns.com - OSX.Maljava"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|mac|06|update|04|zyns|03|com"; metadata:impact_flag red,policy balanced-ips drop,service dns; reference:url,www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once; classtype:trojan-activity; sid:22051; rev:2; service:dns; )
00054 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain mac.update.zyns.com - OSX.Maljava"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|mac|06|update|04|zyns|03|com"; metadata:impact_flag red,policy balanced-ips drop,service dns; reference:url,www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once; classtype:trojan-activity; sid:22051; rev:2; service:dns; )
00055 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent RAbcLib"; flow:to_server,established; http_header; content:"User-Agent|3A| RAbcLib"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/47D648603A2923D4539AAF6D4F63B3B704CCE090F68BB394A0F8B1BC2649844A/analysis/; classtype:trojan-activity; sid:22939; rev:2; service:http; )
00055 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent RAbcLib"; flow:to_server,established; http_header; content:"User-Agent|3A| RAbcLib"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/47D648603A2923D4539AAF6D4F63B3B704CCE090F68BB394A0F8B1BC2649844A/analysis/; classtype:trojan-activity; sid:22939; rev:2; service:http; )
00056 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Flame malware"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 6.0|3B|Windows NT 5.1|3B| .NET CLR 1.1.2150|29|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23019; rev:2; service:http; )
00056 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Flame malware"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 6.0|3B|Windows NT 5.1|3B| .NET CLR 1.1.2150|29|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23019; rev:2; service:http; )
00057 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain traffic-spot.com - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|traffic-spot|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23020; rev:1; service:dns; )
00057 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain traffic-spot.com - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|traffic-spot|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23020; rev:1; service:dns; )
00058 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain traffic-spot.biz - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|traffic-spot|03|biz|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23021; rev:1; service:dns; )
00058 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain traffic-spot.biz - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|traffic-spot|03|biz|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23021; rev:1; service:dns; )
00059 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain smart-access.net - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|smart-access|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23022; rev:1; service:dns; )
00059 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain smart-access.net - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|smart-access|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23022; rev:1; service:dns; )
00060 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain quick-net.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|quick-net|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23023; rev:1; service:dns; )
00060 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain quick-net.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|quick-net|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23023; rev:1; service:dns; )
00061 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain autosync.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|autosync|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23024; rev:1; service:dns; )
00061 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain autosync.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|autosync|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23024; rev:1; service:dns; )
00062 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dnslocation.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|dnslocation|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23025; rev:1; service:dns; )
00062 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dnslocation.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|dnslocation|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23025; rev:1; service:dns; )
00063 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dnsmask.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsmask|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23026; rev:1; service:dns; )
00063 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dnsmask.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsmask|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23026; rev:1; service:dns; )
00064 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dnsportal.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|dnsportal|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23027; rev:1; service:dns; )
00064 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dnsportal.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|dnsportal|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23027; rev:1; service:dns; )
00065 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dnsupdate.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|dnsupdate|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23028; rev:1; service:dns; )
00065 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dnsupdate.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|dnsupdate|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23028; rev:1; service:dns; )
00066 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain flashupdates.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|flashupdates|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23029; rev:1; service:dns; )
00066 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain flashupdates.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|flashupdates|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23029; rev:1; service:dns; )
00067 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain localgateway.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|localgateway|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23030; rev:1; service:dns; )
00067 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain localgateway.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|localgateway|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23030; rev:1; service:dns; )
00068 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain nvidiadrivers.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|nvidiadrivers|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23031; rev:1; service:dns; )
00068 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain nvidiadrivers.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|nvidiadrivers|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23031; rev:1; service:dns; )
00069 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain nvidiasoft.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|nvidiasoft|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23032; rev:1; service:dns; )
00069 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain nvidiasoft.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|nvidiasoft|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23032; rev:1; service:dns; )
00070 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain nvidiastream.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|nvidiastream|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23033; rev:1; service:dns; )
00070 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain nvidiastream.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|nvidiastream|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23033; rev:1; service:dns; )
00071 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pingserver.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|pingserver|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23034; rev:1; service:dns; )
00071 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pingserver.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|pingserver|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23034; rev:1; service:dns; )
00072 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain rendercodec.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|rendercodec|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23035; rev:1; service:dns; )
00072 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain rendercodec.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|rendercodec|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23035; rev:1; service:dns; )
00073 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain syncdomain.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|syncdomain|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23036; rev:1; service:dns; )
00073 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain syncdomain.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|syncdomain|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23036; rev:1; service:dns; )
00074 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain syncstream.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|syncstream|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23037; rev:1; service:dns; )
00074 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain syncstream.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|syncstream|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23037; rev:1; service:dns; )
00075 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain videosync.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|videosync|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23038; rev:1; service:dns; )
00075 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain videosync.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|videosync|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23038; rev:1; service:dns; )
00076 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for runforestrun - JS.Runfore"; flow:to_server,established; http_uri; content:"/runforestrun?sid="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; reference:url,urlquery.net/search.php?q=runforestrun; classtype:trojan-activity; sid:23473; rev:1; service:http; )
00076 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for runforestrun - JS.Runfore"; flow:to_server,established; http_uri; content:"/runforestrun?sid="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; reference:url,urlquery.net/search.php?q=runforestrun; classtype:trojan-activity; sid:23473; rev:1; service:http; )
00077 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - PoisonIvy RAT"; flow:to_server,established; http_header; content:"User-Agent|3A| PoisonIvy"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.poisonivy-rat.com; reference:url,www.virustotal.com/file/c71d8085544e6f81e0301d9dd5cdf88369339a6001bab8e4fda22de9ec0fee31/analysis/; classtype:trojan-activity; sid:23627; rev:2; service:http; )
00077 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - PoisonIvy RAT"; flow:to_server,established; http_header; content:"User-Agent|3A| PoisonIvy"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.poisonivy-rat.com; reference:url,www.virustotal.com/file/c71d8085544e6f81e0301d9dd5cdf88369339a6001bab8e4fda22de9ec0fee31/analysis/; classtype:trojan-activity; sid:23627; rev:2; service:http; )
00078 alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - you"; flow:to_server,established; http_header; content:"User-Agent|3A| you|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory-W32-DistTrack.pdf; classtype:trojan-activity; sid:23903; rev:2; service:http; )
00078 alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - you"; flow:to_server,established; http_header; content:"User-Agent|3A| you|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory-W32-DistTrack.pdf; classtype:trojan-activity; sid:23903; rev:2; service:http; )
00079 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain guest-access.net - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23799; rev:2; service:dns; )
00079 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain guest-access.net - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23799; rev:2; service:dns; )
00080 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dotnetadvisor.info - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|dotnetadvisor|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23800; rev:2; service:dns; )
00080 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dotnetadvisor.info - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|dotnetadvisor|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23800; rev:2; service:dns; )
00081 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain bestcomputeradvisor.com - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|13|bestcomputeradvisor|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23801; rev:2; service:dns; )
00081 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain bestcomputeradvisor.com - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|13|bestcomputeradvisor|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23801; rev:2; service:dns; )
00082 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain datajunction.org - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23802; rev:2; service:dns; )
00082 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain datajunction.org - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23802; rev:2; service:dns; )
00083 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain secuurity.net - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|secuurity|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23803; rev:2; service:dns; )
00083 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain secuurity.net - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|secuurity|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23803; rev:2; service:dns; )
00084 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain gowin7.com - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|gowin7|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23804; rev:2; service:dns; )
00084 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain gowin7.com - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|gowin7|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23804; rev:2; service:dns; )
00085 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain jebena.ananikolic.su - Malware.HPsus/Palevo-B"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|jebena|0A|ananikolic|02|su|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/suspicious-behavior-and-files/HPsus~Palevo-B/detailed-analysis.aspx; classtype:trojan-activity; sid:24034; rev:3; service:dns; )
00085 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain jebena.ananikolic.su - Malware.HPsus/Palevo-B"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|jebena|0A|ananikolic|02|su|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/suspicious-behavior-and-files/HPsus~Palevo-B/detailed-analysis.aspx; classtype:trojan-activity; sid:24034; rev:3; service:dns; )
00086 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain reslove-dns.com - Dorifel"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|reslove-dns|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24146; rev:2; service:dns; )
00086 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain reslove-dns.com - Dorifel"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|reslove-dns|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24146; rev:2; service:dns; )
00087 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Testing"; flow:to_server,established; http_header; content:"User-Agent|3A| Testing"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,virustotal.com/file/1b79d2d27a386ab40a1452514cf82f8aa65c7c406610787ac8be7cb9f710859b/analysis/; classtype:trojan-activity; sid:24441; rev:1; service:http; )
00087 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Testing"; flow:to_server,established; http_header; content:"User-Agent|3A| Testing"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,virustotal.com/file/1b79d2d27a386ab40a1452514cf82f8aa65c7c406610787ac8be7cb9f710859b/analysis/; classtype:trojan-activity; sid:24441; rev:1; service:http; )
00088 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Alerter COM"; flow:to_server,established; http_header; content:"User-Agent|3A| Alerter COM+"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,virustotal.com/file/1b79d2d27a386ab40a1452514cf82f8aa65c7c406610787ac8be7cb9f710859b/analysis/; classtype:trojan-activity; sid:24442; rev:1; service:http; )
00088 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Alerter COM"; flow:to_server,established; http_header; content:"User-Agent|3A| Alerter COM+"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,virustotal.com/file/1b79d2d27a386ab40a1452514cf82f8aa65c7c406610787ac8be7cb9f710859b/analysis/; classtype:trojan-activity; sid:24442; rev:1; service:http; )
00089 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - malware"; flow:to_server,established; http_header; content:"malware"; pcre:"/^User-Agent\x3A[^\r\n]*malware/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/analisis/c55e2acfed1996ddbd17ddd4cba57530dd34c207be9f9b327fa3fdbb10cdaa7c-1270750352; classtype:trojan-activity; sid:16551; rev:8; service:http; )
00089 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - malware"; flow:to_server,established; http_header; content:"malware"; pcre:"/^User-Agent\x3A[^\r\n]*malware/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/analisis/c55e2acfed1996ddbd17ddd4cba57530dd34c207be9f9b327fa3fdbb10cdaa7c-1270750352; classtype:trojan-activity; sid:16551; rev:8; service:http; )
00090 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Tear Application"; flow:to_server,established; http_header; content:"User-Agent|3A| Tear Application"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=48f1270338bc233839ffefa7e5eefde7; classtype:trojan-activity; sid:16497; rev:7; service:http; )
00090 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Tear Application"; flow:to_server,established; http_header; content:"User-Agent|3A| Tear Application"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=48f1270338bc233839ffefa7e5eefde7; classtype:trojan-activity; sid:16497; rev:7; service:http; )
00091 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Async HTTP Agent"; flow:to_server,established; http_header; content:"User-Agent|3A| Async HTTP Agent"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082798; classtype:successful-recon-limited; sid:5900; rev:10; service:http; )
00091 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Async HTTP Agent"; flow:to_server,established; http_header; content:"User-Agent|3A| Async HTTP Agent"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082798; classtype:successful-recon-limited; sid:5900; rev:10; service:http; )
00092 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - SAH Agent"; flow:to_server,established; content:"User-Agent|3A| SAH Agent"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; classtype:misc-activity; sid:5808; rev:9; service:http; )
00092 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - SAH Agent"; flow:to_server,established; content:"User-Agent|3A| SAH Agent"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; classtype:misc-activity; sid:5808; rev:9; service:http; )
00093 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Opera/9.61"; flow:to_server,established; http_header; content:"User-Agent: Opera/9.61|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/78F000C1901081A2B7F43E55843BA89B3ED2BE2CAB2C3C36F04C768800863940/analysis/; classtype:trojan-activity; sid:24575; rev:1; service:http; )
00093 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Opera/9.61"; flow:to_server,established; http_header; content:"User-Agent: Opera/9.61|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/78F000C1901081A2B7F43E55843BA89B3ED2BE2CAB2C3C36F04C768800863940/analysis/; classtype:trojan-activity; sid:24575; rev:1; service:http; )
00094 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Lizard/1.0"; flow:to_server,established; http_header; content:"User-Agent: Lizard/1.0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/F885D6F24FFE5CD899841E9B9914F7CC1CF22C13C5EBF5332F1A1B4F378793FE/analysis/; classtype:trojan-activity; sid:24631; rev:1; service:http; )
00094 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Lizard/1.0"; flow:to_server,established; http_header; content:"User-Agent: Lizard/1.0|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/F885D6F24FFE5CD899841E9B9914F7CC1CF22C13C5EBF5332F1A1B4F378793FE/analysis/; classtype:trojan-activity; sid:24631; rev:1; service:http; )
00095 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - 1"; flow:to_server,established; http_header; content:"User-Agent: 1|0D 0A|"; content:!"Accept:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24632; rev:2; service:http; )
00095 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - 1"; flow:to_server,established; http_header; content:"User-Agent: 1|0D 0A|"; content:!"Accept:"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24632; rev:2; service:http; )
00096 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - test_hInternet"; flow:to_server,established; http_header; content:"User-Agent: test_hInternet|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24633; rev:1; service:http; )
00096 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - test_hInternet"; flow:to_server,established; http_header; content:"User-Agent: test_hInternet|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24633; rev:1; service:http; )
00097 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - vaccinepc"; flow:to_server,established; http_header; content:"User-Agent: vaccinepc"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24634; rev:1; service:http; )
00097 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - vaccinepc"; flow:to_server,established; http_header; content:"User-Agent: vaccinepc"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24634; rev:1; service:http; )
00098 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent - Google page"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Google page"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:24792; rev:1; service:http; )
00098 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent - Google page"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Google page"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:24792; rev:1; service:http; )
00099 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent"; flow:to_server,established; http_header; content:"User-Agent: User-Agent: Opera/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/E50BE9062933ACA19777767538BC9E03C94DB23AFBC4F6F19383FCBA3479EAB4/analysis/; classtype:trojan-activity; sid:25009; rev:2; service:http; )
00099 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent"; flow:to_server,established; http_header; content:"User-Agent: User-Agent: Opera/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/E50BE9062933ACA19777767538BC9E03C94DB23AFBC4F6F19383FCBA3479EAB4/analysis/; classtype:trojan-activity; sid:25009; rev:2; service:http; )
00100 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLACKLIST Connection to malware sinkhole"; flow:to_client,established; http_header; content:"malware-sinkhole|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:25018; rev:3; service:http; )
00100 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLACKLIST Connection to malware sinkhole"; flow:to_client,established; http_header; content:"malware-sinkhole|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:25018; rev:3; service:http; )
00101 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - NewBrandTest"; flow:to_server,established; http_header; content:"User-Agent|3A 20|NewBrandTest|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/02b18d0aa415e299515891b56424751e846ca917d3bb55b82f07cfb97f62c4e1/analysis/; classtype:trojan-activity; sid:25119; rev:2; service:http; )
00101 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - NewBrandTest"; flow:to_server,established; http_header; content:"User-Agent|3A 20|NewBrandTest|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/file/02b18d0aa415e299515891b56424751e846ca917d3bb55b82f07cfb97f62c4e1/analysis/; classtype:trojan-activity; sid:25119; rev:2; service:http; )
00102 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - 04/XP"; flow:to_server,established; http_header; content:"User-Agent: 04/XP|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/641B3981E33E33030D3D75EDE4D4F2C896D9F355FC9075B2F852E874FBB97F7A/analysis/; classtype:trojan-activity; sid:25243; rev:1; service:http; )
00102 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - 04/XP"; flow:to_server,established; http_header; content:"User-Agent: 04/XP|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/641B3981E33E33030D3D75EDE4D4F2C896D9F355FC9075B2F852E874FBB97F7A/analysis/; classtype:trojan-activity; sid:25243; rev:1; service:http; )
00103 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - me0hoi"; flow:to_server,established; http_header; content:"User-Agent: me0hoi|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/7919E2A3586AA83072689A5DB77DA8DDB4F675421D775C8F1A0110D12423EF3E/analysis/; classtype:trojan-activity; sid:25245; rev:1; service:http; )
00103 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - me0hoi"; flow:to_server,established; http_header; content:"User-Agent: me0hoi|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/7919E2A3586AA83072689A5DB77DA8DDB4F675421D775C8F1A0110D12423EF3E/analysis/; classtype:trojan-activity; sid:25245; rev:1; service:http; )
00104 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/nt/th"; flow:to_server,established; http_uri; content:"/cgi-bin/nt/th"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25394; rev:1; service:http; )
00104 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/nt/th"; flow:to_server,established; http_uri; content:"/cgi-bin/nt/th"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25394; rev:1; service:http; )
00105 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/nt/sk"; flow:to_server,established; http_uri; content:"/cgi-bin/nt/sk"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25395; rev:1; service:http; )
00105 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/nt/sk"; flow:to_server,established; http_uri; content:"/cgi-bin/nt/sk"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25395; rev:1; service:http; )
00106 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/dllhost/ac"; flow:to_server,established; http_uri; content:"/cgi-bin/dllhost/ac"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25396; rev:1; service:http; )
00106 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/dllhost/ac"; flow:to_server,established; http_uri; content:"/cgi-bin/dllhost/ac"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25396; rev:1; service:http; )
00107 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/ms/check"; flow:to_server,established; http_uri; content:"/cgi-bin/ms/check"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25397; rev:1; service:http; )
00107 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/ms/check"; flow:to_server,established; http_uri; content:"/cgi-bin/ms/check"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25397; rev:1; service:http; )
00108 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/ms/flush"; flow:to_server,established; http_uri; content:"/cgi-bin/ms/flush"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25398; rev:1; service:http; )
00108 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/ms/flush"; flow:to_server,established; http_uri; content:"/cgi-bin/ms/flush"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25398; rev:1; service:http; )
00109 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/win/wcx"; flow:to_server,established; http_uri; content:"/cgi-bin/win/wcx"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25399; rev:1; service:http; )
00109 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/win/wcx"; flow:to_server,established; http_uri; content:"/cgi-bin/win/wcx"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25399; rev:1; service:http; )
00110 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/win/cab"; flow:to_server,established; http_uri; content:"/cgi-bin/win/cab"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25400; rev:1; service:http; )
00110 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST URI request for /cgi-bin/win/cab"; flow:to_server,established; http_uri; content:"/cgi-bin/win/cab"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25400; rev:1; service:http; )
00111 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain linuxrepository.org - UNIX.Trojan.SSHDoor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|linuxrepository|03|org|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/EBFD9354ED83635ED38BD117B375903F9984A18780EF86DBF7A642FC6584271C/analysis/; classtype:trojan-activity; sid:25554; rev:1; service:dns; )
00111 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain linuxrepository.org - UNIX.Trojan.SSHDoor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|linuxrepository|03|org|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/EBFD9354ED83635ED38BD117B375903F9984A18780EF86DBF7A642FC6584271C/analysis/; classtype:trojan-activity; sid:25554; rev:1; service:dns; )
00112 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain openssh.info - UNIX.Trojan.SSHDoor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|openssh|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/EBFD9354ED83635ED38BD117B375903F9984A18780EF86DBF7A642FC6584271C/analysis/; classtype:trojan-activity; sid:25555; rev:1; service:dns; )
00112 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain openssh.info - UNIX.Trojan.SSHDoor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|openssh|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/EBFD9354ED83635ED38BD117B375903F9984A18780EF86DBF7A642FC6584271C/analysis/; classtype:trojan-activity; sid:25555; rev:1; service:dns; )
00113 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain updete.servehttp.com - Win.Trojan.Jimpime"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|updete|09|servehttp|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/29311a4e5c198df5fa962fdef2e71bdb87a30ca76ce901ae779d30e9b8bfce1b/analysis/; classtype:trojan-activity; sid:25624; rev:1; service:dns; )
00113 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain updete.servehttp.com - Win.Trojan.Jimpime"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|updete|09|servehttp|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/29311a4e5c198df5fa962fdef2e71bdb87a30ca76ce901ae779d30e9b8bfce1b/analysis/; classtype:trojan-activity; sid:25624; rev:1; service:dns; )
00114 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - spam_bot"; flow:to_server,established; http_header; content:"User-Agent: spam_bot|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/ED62E89CC17E400A60D98E075FAFFB9D778C1A27A9CB83723E3AFA6A2C385339/analysis/; classtype:trojan-activity; sid:25659; rev:1; service:http; )
00114 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - spam_bot"; flow:to_server,established; http_header; content:"User-Agent: spam_bot|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/ED62E89CC17E400A60D98E075FAFFB9D778C1A27A9CB83723E3AFA6A2C385339/analysis/; classtype:trojan-activity; sid:25659; rev:1; service:http; )
00115 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain bahufykyby.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|bahufykyby|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25684; rev:1; service:dns; )
00115 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain bahufykyby.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|bahufykyby|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25684; rev:1; service:dns; )
00116 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain basewibuxenagip.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|basewibuxenagip|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25685; rev:1; service:dns; )
00116 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain basewibuxenagip.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|basewibuxenagip|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25685; rev:1; service:dns; )
00117 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain cefimoqicy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cefimoqicy|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25686; rev:1; service:dns; )
00117 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain cefimoqicy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cefimoqicy|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25686; rev:1; service:dns; )
00118 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain cohehonyhe.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cohehonyhe|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25687; rev:1; service:dns; )
00118 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain cohehonyhe.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cohehonyhe|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25687; rev:1; service:dns; )
00119 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain covyqileju.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|covyqileju|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25688; rev:1; service:dns; )
00119 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain covyqileju.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|covyqileju|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25688; rev:1; service:dns; )
00120 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain decogonuwy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|decogonuwy|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25689; rev:1; service:dns; )
00120 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain decogonuwy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|decogonuwy|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25689; rev:1; service:dns; )
00121 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain degupydoka.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|degupydoka|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25690; rev:1; service:dns; )
00121 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain degupydoka.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|degupydoka|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25690; rev:1; service:dns; )
00122 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain diconybomo.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|diconybomo|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25691; rev:1; service:dns; )
00122 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain diconybomo.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|diconybomo|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25691; rev:1; service:dns; )
00123 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dixegocixa.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|dixegocixa|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25692; rev:1; service:dns; )
00123 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain dixegocixa.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|dixegocixa|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25692; rev:1; service:dns; )
00124 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain favomavene.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|favomavene|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25693; rev:1; service:dns; )
00124 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain favomavene.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|favomavene|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25693; rev:1; service:dns; )
00125 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fegufidaty.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fegufidaty|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25694; rev:1; service:dns; )
00125 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fegufidaty.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fegufidaty|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25694; rev:1; service:dns; )
00126 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fenemusemy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fenemusemy|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25695; rev:1; service:dns; )
00126 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fenemusemy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fenemusemy|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25695; rev:1; service:dns; )
00127 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fihyqukapy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fihyqukapy|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25696; rev:1; service:dns; )
00127 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fihyqukapy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fihyqukapy|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25696; rev:1; service:dns; )
00128 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fokizireheceduf.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|fokizireheceduf|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25697; rev:1; service:dns; )
00128 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fokizireheceduf.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|fokizireheceduf|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25697; rev:1; service:dns; )
00129 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fyzuvejemuxoqiw.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|fyzuvejemuxoqiw|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25698; rev:1; service:dns; )
00129 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fyzuvejemuxoqiw.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|fyzuvejemuxoqiw|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25698; rev:1; service:dns; )
00130 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain gecadutolu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|gecadutolu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25699; rev:1; service:dns; )
00130 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain gecadutolu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|gecadutolu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25699; rev:1; service:dns; )
00131 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain gybejajehekyfet.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|gybejajehekyfet|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25700; rev:1; service:dns; )
00131 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain gybejajehekyfet.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|gybejajehekyfet|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25700; rev:1; service:dns; )
00132 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain hiveqemyrehinex.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|hiveqemyrehinex|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25701; rev:1; service:dns; )
00132 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain hiveqemyrehinex.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|hiveqemyrehinex|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25701; rev:1; service:dns; )
00133 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain kyqehurevynyryk.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kyqehurevynyryk|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25702; rev:1; service:dns; )
00133 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain kyqehurevynyryk.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kyqehurevynyryk|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25702; rev:1; service:dns; )
00134 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain lofyjisoxo.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|lofyjisoxo|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25703; rev:1; service:dns; )
00134 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain lofyjisoxo.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|lofyjisoxo|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25703; rev:1; service:dns; )
00135 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain loqytylukykiruf.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|loqytylukykiruf|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25704; rev:1; service:dns; )
00135 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain loqytylukykiruf.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|loqytylukykiruf|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25704; rev:1; service:dns; )
00136 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain lujuhijalu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|lujuhijalu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25705; rev:1; service:dns; )
00136 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain lujuhijalu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|lujuhijalu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25705; rev:1; service:dns; )
00137 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain luxohygity.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|luxohygity|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25706; rev:1; service:dns; )
00137 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain luxohygity.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|luxohygity|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25706; rev:1; service:dns; )
00138 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain moqawowyti.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|moqawowyti|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25707; rev:1; service:dns; )
00138 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain moqawowyti.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|moqawowyti|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25707; rev:1; service:dns; )
00139 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain musututefu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|musututefu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25708; rev:1; service:dns; )
00139 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain musututefu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|musututefu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25708; rev:1; service:dns; )
00140 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain mysotonego.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|mysotonego|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25709; rev:1; service:dns; )
00140 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain mysotonego.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|mysotonego|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25709; rev:1; service:dns; )
00141 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain negenezepu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|negenezepu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25710; rev:1; service:dns; )
00141 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain negenezepu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|negenezepu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25710; rev:1; service:dns; )
00142 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pyziviziny.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|pyziviziny|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25711; rev:1; service:dns; )
00142 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pyziviziny.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|pyziviziny|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25711; rev:1; service:dns; )
00143 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain qecytylohozariw.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|qecytylohozariw|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25712; rev:1; service:dns; )
00143 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain qecytylohozariw.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|qecytylohozariw|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25712; rev:1; service:dns; )
00144 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain qokimusanyveful.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|qokimusanyveful|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25713; rev:1; service:dns; )
00144 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain qokimusanyveful.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|qokimusanyveful|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25713; rev:1; service:dns; )
00145 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain qudevyfiqa.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|qudevyfiqa|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25714; rev:1; service:dns; )
00145 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain qudevyfiqa.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|qudevyfiqa|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25714; rev:1; service:dns; )
00146 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain radohowexehedun.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|radohowexehedun|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25715; rev:1; service:dns; )
00146 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain radohowexehedun.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|radohowexehedun|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25715; rev:1; service:dns; )
00147 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain relusibeci.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|relusibeci|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25716; rev:1; service:dns; )
00147 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain relusibeci.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|relusibeci|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25716; rev:1; service:dns; )
00148 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain rulerykozu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|rulerykozu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25717; rev:1; service:dns; )
00148 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain rulerykozu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|rulerykozu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25717; rev:1; service:dns; )
00149 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain sygonugeze.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|sygonugeze|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25718; rev:1; service:dns; )
00149 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain sygonugeze.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|sygonugeze|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25718; rev:1; service:dns; )
00150 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain taqyhucoka.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|taqyhucoka|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25719; rev:1; service:dns; )
00150 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain taqyhucoka.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|taqyhucoka|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25719; rev:1; service:dns; )
00151 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain tebejoturu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|tebejoturu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25720; rev:1; service:dns; )
00151 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain tebejoturu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|tebejoturu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25720; rev:1; service:dns; )
00152 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain vesufopodu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vesufopodu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25721; rev:1; service:dns; )
00152 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain vesufopodu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vesufopodu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25721; rev:1; service:dns; )
00153 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain vujygijehu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vujygijehu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25722; rev:1; service:dns; )
00153 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain vujygijehu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vujygijehu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25722; rev:1; service:dns; )
00154 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain vyzefykeno.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vyzefykeno|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25723; rev:1; service:dns; )
00154 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain vyzefykeno.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vyzefykeno|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25723; rev:1; service:dns; )
00155 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain wezadifiha.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|wezadifiha|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25724; rev:1; service:dns; )
00155 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain wezadifiha.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|wezadifiha|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25724; rev:1; service:dns; )
00156 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain xatawihuvo.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|xatawihuvo|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25725; rev:1; service:dns; )
00156 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain xatawihuvo.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|xatawihuvo|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25725; rev:1; service:dns; )
00157 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain xohuhynevepeqyv.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|xohuhynevepeqyv|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25726; rev:1; service:dns; )
00157 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain xohuhynevepeqyv.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|xohuhynevepeqyv|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25726; rev:1; service:dns; )
00158 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain zuhokasyku.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|zuhokasyku|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25727; rev:1; service:dns; )
00158 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain zuhokasyku.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|zuhokasyku|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25727; rev:1; service:dns; )
00159 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain zykuxykevu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|zykuxykevu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25728; rev:1; service:dns; )
00159 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain zykuxykevu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|zykuxykevu|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25728; rev:1; service:dns; )
00160 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain all-celeb.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|all-celeb|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25729; rev:1; service:dns; )
00160 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain all-celeb.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|all-celeb|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25729; rev:1; service:dns; )
00161 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain allsearchforyou.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|allsearchforyou|02|in|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25730; rev:1; service:dns; )
00161 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain allsearchforyou.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|allsearchforyou|02|in|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25730; rev:1; service:dns; )
00162 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain bestpornodrive.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|bestpornodrive|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25731; rev:1; service:dns; )
00162 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain bestpornodrive.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|bestpornodrive|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25731; rev:1; service:dns; )
00163 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain beststoresearch.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|beststoresearch|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25732; rev:1; service:dns; )
00163 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain beststoresearch.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|beststoresearch|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25732; rev:1; service:dns; )
00164 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain catalogforyou.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|catalogforyou|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25733; rev:1; service:dns; )
00164 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain catalogforyou.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|catalogforyou|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25733; rev:1; service:dns; )
00165 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain catalogpornosearch.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|catalogpornosearch|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25734; rev:1; service:dns; )
00165 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain catalogpornosearch.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|catalogpornosearch|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25734; rev:1; service:dns; )
00166 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain celebrity-info.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|celebrity-info|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25735; rev:1; service:dns; )
00166 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain celebrity-info.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|celebrity-info|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25735; rev:1; service:dns; )
00167 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain drafsddhjk.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|drafsddhjk|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25736; rev:1; service:dns; )
00167 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain drafsddhjk.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|drafsddhjk|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25736; rev:1; service:dns; )
00168 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain easy-statistics.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|easy-statistics|02|in|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25737; rev:1; service:dns; )
00168 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain easy-statistics.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|easy-statistics|02|in|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25737; rev:1; service:dns; )
00169 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain ekstaz.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ekstaz|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25738; rev:1; service:dns; )
00169 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain ekstaz.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ekstaz|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25738; rev:1; service:dns; )
00170 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain facesystem.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|facesystem|02|in|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25739; rev:1; service:dns; )
00170 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain facesystem.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|facesystem|02|in|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25739; rev:1; service:dns; )
00171 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain famouspeopledata.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|famouspeopledata|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25740; rev:1; service:dns; )
00171 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain famouspeopledata.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|famouspeopledata|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25740; rev:1; service:dns; )
00172 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain famouspeopleinformation.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|17|famouspeopleinformation|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25741; rev:1; service:dns; )
00172 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain famouspeopleinformation.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|17|famouspeopleinformation|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25741; rev:1; service:dns; )
00173 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain findalleasy.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|findalleasy|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25742; rev:1; service:dns; )
00173 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain findalleasy.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|findalleasy|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25742; rev:1; service:dns; )
00174 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain findallsimple.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|findallsimple|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25743; rev:1; service:dns; )
00174 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain findallsimple.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|findallsimple|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25743; rev:1; service:dns; )
00175 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain freepornoreport.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|freepornoreport|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25744; rev:1; service:dns; )
00175 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain freepornoreport.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|freepornoreport|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25744; rev:1; service:dns; )
00176 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain freepornoshop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|freepornoshop|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25745; rev:1; service:dns; )
00176 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain freepornoshop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|freepornoshop|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25745; rev:1; service:dns; )
00177 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain freesearchshop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|freesearchshop|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25746; rev:1; service:dns; )
00177 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain freesearchshop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|freesearchshop|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25746; rev:1; service:dns; )
00178 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain localfreecatalog.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|localfreecatalog|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25747; rev:1; service:dns; )
00178 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain localfreecatalog.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|localfreecatalog|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25747; rev:1; service:dns; )
00179 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain loveplacecatalog.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|loveplacecatalog|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25748; rev:1; service:dns; )
00179 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain loveplacecatalog.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|loveplacecatalog|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25748; rev:1; service:dns; )
00180 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain lovepornomoney.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|lovepornomoney|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25749; rev:1; service:dns; )
00180 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain lovepornomoney.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|lovepornomoney|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25749; rev:1; service:dns; )
00181 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain newpornopicture.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|newpornopicture|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25750; rev:1; service:dns; )
00181 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain newpornopicture.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|newpornopicture|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25750; rev:1; service:dns; )
00182 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain newsearchnecessary.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|newsearchnecessary|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25751; rev:1; service:dns; )
00182 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain newsearchnecessary.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|newsearchnecessary|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25751; rev:1; service:dns; )
00183 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain newsearchshop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|newsearchshop|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25752; rev:1; service:dns; )
00183 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain newsearchshop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|newsearchshop|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25752; rev:1; service:dns; )
00184 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pornobeetle.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pornobeetle|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25753; rev:1; service:dns; )
00184 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pornobeetle.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pornobeetle|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25753; rev:1; service:dns; )
00185 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pornofreecatalogs.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|pornofreecatalogs|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25754; rev:1; service:dns; )
00185 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pornofreecatalogs.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|pornofreecatalogs|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25754; rev:1; service:dns; )
00186 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pornofreeforyou.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|pornofreeforyou|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25755; rev:1; service:dns; )
00186 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pornofreeforyou.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|pornofreeforyou|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25755; rev:1; service:dns; )
00187 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pornowinner.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pornowinner|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25756; rev:1; service:dns; )
00187 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain pornowinner.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pornowinner|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25756; rev:1; service:dns; )
00188 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain proshopcatalog.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|proshopcatalog|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25757; rev:1; service:dns; )
00188 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain proshopcatalog.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|proshopcatalog|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25757; rev:1; service:dns; )
00189 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain searchnecessary.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|searchnecessary|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25758; rev:1; service:dns; )
00189 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain searchnecessary.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|searchnecessary|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25758; rev:1; service:dns; )
00190 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain search-porno.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|search-porno|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25759; rev:1; service:dns; )
00190 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain search-porno.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|search-porno|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25759; rev:1; service:dns; )
00191 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain shopcataloggroup.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|shopcataloggroup|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25760; rev:1; service:dns; )
00191 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain shopcataloggroup.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|shopcataloggroup|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25760; rev:1; service:dns; )
00192 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain shop-work.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|shop-work|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25761; rev:1; service:dns; )
00192 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain shop-work.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|shop-work|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25761; rev:1; service:dns; )
00193 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain superstarsinfo.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|superstarsinfo|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25762; rev:1; service:dns; )
00193 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain superstarsinfo.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|superstarsinfo|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25762; rev:1; service:dns; )
00194 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain winnerfree.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|winnerfree|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25763; rev:1; service:dns; )
00194 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain winnerfree.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|winnerfree|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; classtype:trojan-activity; sid:25763; rev:1; service:dns; )
00195 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain 24131192124.com - Win.Trojan.Chebri.C "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|24131192124|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FChebri.C; classtype:trojan-activity; sid:25946; rev:3; service:dns; )
00195 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain 24131192124.com - Win.Trojan.Chebri.C "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|24131192124|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FChebri.C; classtype:trojan-activity; sid:25946; rev:3; service:dns; )
00196 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent cibabam"; flow:to_server,established; http_header; content:"User-Agent|3A| cibabam|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/d8a18e7ce01d17149ada4a46ff3889da/analysis/; classtype:trojan-activity; sid:26248; rev:1; service:http; )
00196 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent cibabam"; flow:to_server,established; http_header; content:"User-Agent|3A| cibabam|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/d8a18e7ce01d17149ada4a46ff3889da/analysis/; classtype:trojan-activity; sid:26248; rev:1; service:http; )
00197 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain mercury.yori.pl - Kazy Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|mercury|04|yori|02|pl|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/3b10dea660714efe9d89b8473196be64445741a2b9d36f9ddf5e45e744a9e320/analysis/; classtype:trojan-activity; sid:26265; rev:1; service:dns; )
00197 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain mercury.yori.pl - Kazy Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|mercury|04|yori|02|pl|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/3b10dea660714efe9d89b8473196be64445741a2b9d36f9ddf5e45e744a9e320/analysis/; classtype:trojan-activity; sid:26265; rev:1; service:dns; )
00198 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain suppp.cantvenlinea.biz - Bitcoin Miner upload"; flow:to_server; content:"|05|suppp|0C|cantvenlinea|03|biz"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26396; rev:1; service:dns; )
00198 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain suppp.cantvenlinea.biz - Bitcoin Miner upload"; flow:to_server; content:"|05|suppp|0C|cantvenlinea|03|biz"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26396; rev:1; service:dns; )
00199 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain f.eastmoon.pl - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|f|08|eastmoon|02|pl|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26399; rev:1; service:dns; )
00199 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain f.eastmoon.pl - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|f|08|eastmoon|02|pl|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26399; rev:1; service:dns; )
00200 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain s.richlab.pl - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|s|07|richlab|02|pl|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26400; rev:1; service:dns; )
00200 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain s.richlab.pl - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|s|07|richlab|02|pl|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26400; rev:1; service:dns; )
00201 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain gigasbh.org - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|gigabsh|03|org"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26401; rev:1; service:dns; )
00201 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain gigasbh.org - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|gigabsh|03|org"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26401; rev:1; service:dns; )
00202 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain xixbh.com - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|xixbh|03|com"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26402; rev:1; service:dns; )
00202 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain xixbh.com - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|xixbh|03|com"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26402; rev:1; service:dns; )
00203 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain h.opennews.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|h|08|opennews|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26403; rev:1; service:dns; )
00203 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain h.opennews.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|h|08|opennews|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26403; rev:1; service:dns; )
00204 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain o.dailyradio.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|o|0A|dailyradio|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26404; rev:1; service:dns; )
00204 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain o.dailyradio.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|o|0A|dailyradio|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26404; rev:1; service:dns; )
00205 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain xixbh.net - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|xixbh|03|net"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26405; rev:1; service:dns; )
00205 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain xixbh.net - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|xixbh|03|net"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26405; rev:1; service:dns; )
00206 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain photobeat.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|photobeat|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26406; rev:1; service:dns; )
00206 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain photobeat.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|photobeat|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26406; rev:1; service:dns; )
00207 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain uranus.kei.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|uranus|03|kei|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26407; rev:1; service:dns; )
00207 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain uranus.kei.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|uranus|03|kei|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26407; rev:1; service:dns; )
00208 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain gigasphere.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|gigashpere|02|su"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26408; rev:1; service:dns; )
00208 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain gigasphere.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|gigashpere|02|su"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26408; rev:1; service:dns; )
00209 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain ext.myshopers.com - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"ext|08|myshopers|03|com"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26409; rev:1; service:dns; )
00209 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain ext.myshopers.com - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"ext|08|myshopers|03|com"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26409; rev:1; service:dns; )
00210 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"BLACKLIST User-Agent known malicious user agent NOKIAN95/WEB"; flow:to_server,established; content:"User-Agent|3A| NOKIAN95|2F|WEB"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:26522; rev:2; service:http; )
00210 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"BLACKLIST User-Agent known malicious user agent NOKIAN95/WEB"; flow:to_server,established; content:"User-Agent|3A| NOKIAN95|2F|WEB"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:26522; rev:2; service:http; )
00211 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain d1js21szq85hyn.cloudfront.net - Win.Adware.BProtector"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|d1js21szq85hyn|0A|cloudfront|03|net"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26554; rev:1; service:dns; )
00211 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain d1js21szq85hyn.cloudfront.net - Win.Adware.BProtector"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|d1js21szq85hyn|0A|cloudfront|03|net"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26554; rev:1; service:dns; )
00212 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain xxxxxxxxxxxxxxx.kei.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|xxxxxxxxxxxxxxx|03|kei|02|su"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26555; rev:1; service:dns; )
00212 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain xxxxxxxxxxxxxxx.kei.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|xxxxxxxxxxxxxxx|03|kei|02|su"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26555; rev:1; service:dns; )
00213 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain f.dailyradio.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|f|0A|dailyradio|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26556; rev:1; service:dns; )
00213 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain f.dailyradio.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|f|0A|dailyradio|02|su|00|"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips drop,ruleset community,service dns; classtype:trojan-activity; sid:26556; rev:1; service:dns; )
00214 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Malicious user agent Brutus AET"; flow:to_server,established; http_header; content:"Mozilla|2F|3.0 |28|Compatible|29 3B|Brutus|2F|AET"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,sectools.org/tool/brutus; classtype:misc-activity; sid:26558; rev:3; service:http; )
00214 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known Malicious user agent Brutus AET"; flow:to_server,established; http_header; content:"Mozilla|2F|3.0 |28|Compatible|29 3B|Brutus|2F|AET"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,sectools.org/tool/brutus; classtype:misc-activity; sid:26558; rev:3; service:http; )
00215 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent Opera 10"; flow:to_server,established; http_header; content:"Opera/10|20|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s irefef-malware; reference:url,dev.opera.com/articles/view/opera-ua-string-changes; classtype:trojan-activity; sid:26577; rev:2; service:http; )
00215 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent Opera 10"; flow:to_server,established; http_header; content:"Opera/10|20|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s irefef-malware; reference:url,dev.opera.com/articles/view/opera-ua-string-changes; classtype:trojan-activity; sid:26577; rev:2; service:http; )
00216 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www.elitemarketingworld.net - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|13|elitemarketingworld|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26580; rev:1; service:dns; )
00216 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www.elitemarketingworld.net - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|13|elitemarketingworld|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26580; rev:1; service:dns; )
00217 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www.rsakillerforever.name - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|10|rsakillerforever|04|name|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26581; rev:1; service:dns; )
00217 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www.rsakillerforever.name - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|10|rsakillerforever|04|name|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26581; rev:1; service:dns; )
00218 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www.allamericanservices.name - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|13|allamericanservices|04|name|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26582; rev:1; service:dns; )
00218 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www.allamericanservices.name - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|13|allamericanservices|04|name|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26582; rev:1; service:dns; )
00219 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain msnsolution.nicaze.net - Genome Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|msnsolution|06|nicaze|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,camas.comodo.com/cgi-bin/submit?file=f48652bff483682938b8c281d32f8f3df424018270900956d30658e1dcec4b44; reference:url,www.virustotal.com/en/file/f48652bff483682938b8c281d32f8f3df424018270900956d30658e1dcec4b44/analysis/1367863560/; classtype:trojan-activity; sid:26583; rev:1; service:dns; )
00219 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain msnsolution.nicaze.net - Genome Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|msnsolution|06|nicaze|03|net|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,camas.comodo.com/cgi-bin/submit?file=f48652bff483682938b8c281d32f8f3df424018270900956d30658e1dcec4b44; reference:url,www.virustotal.com/en/file/f48652bff483682938b8c281d32f8f3df424018270900956d30658e1dcec4b44/analysis/1367863560/; classtype:trojan-activity; sid:26583; rev:1; service:dns; )
00220 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain theimageparlour.net - Vobfus worm"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|theimageparlour|03|net|00|"; content:"|03|ns"; content:"|0F|",within 2; content:"theimageparlour|03|net|00|",within 20; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/cbee43ecc75d6f29061416add74a78ce5e36c67b85e186d66338399305e594d4/analysis/; classtype:trojan-activity; sid:26589; rev:1; service:dns; )
00220 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain theimageparlour.net - Vobfus worm"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|theimageparlour|03|net|00|"; content:"|03|ns"; content:"|0F|",within 2; content:"theimageparlour|03|net|00|",within 20; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/cbee43ecc75d6f29061416add74a78ce5e36c67b85e186d66338399305e594d4/analysis/; classtype:trojan-activity; sid:26589; rev:1; service:dns; )
00221 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www2.x3x4.su - backdoor trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|www2|04|x3x4|02|su|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/a6cad9e09f5049f432491037946acf3376d3d957b97f49ecb22f86531fb0b7de/analysis/; classtype:trojan-activity; sid:26654; rev:1; service:dns; )
00221 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www2.x3x4.su - backdoor trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|www2|04|x3x4|02|su|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/a6cad9e09f5049f432491037946acf3376d3d957b97f49ecb22f86531fb0b7de/analysis/; classtype:trojan-activity; sid:26654; rev:1; service:dns; )
00222 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string J13A"; flow:to_server,established; http_header; content:"User-Agent: J13A|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/de/file/75667889BC6ACBB77E57EF02DDE1D908EEF9625292618E31E7D4F5194733C6F0/analysis/; classtype:trojan-activity; sid:26685; rev:2; service:http; )
00222 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user-agent string J13A"; flow:to_server,established; http_header; content:"User-Agent: J13A|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/de/file/75667889BC6ACBB77E57EF02DDE1D908EEF9625292618E31E7D4F5194733C6F0/analysis/; classtype:trojan-activity; sid:26685; rev:2; service:http; )
00223 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Alina"; flow:to_server, established; http_header; content:"User-Agent|3A| Alina"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/102fa9c066102db7ebf821e28dbc6363d544843bfe45c331eb826663ab6c74b9/analysis/; classtype:trojan-activity; sid:26686; rev:1; service:http; )
00223 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Alina"; flow:to_server, established; http_header; content:"User-Agent|3A| Alina"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/102fa9c066102db7ebf821e28dbc6363d544843bfe45c331eb826663ab6c74b9/analysis/; classtype:trojan-activity; sid:26686; rev:1; service:http; )
00224 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Win"; flow:to_server,established; http_header; content:"User-Agent|3A| Win|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/6142f9c4ac27a3f5676c625d685e4ad500eaed2d936564b84fe5c0251e581701/analysis/; classtype:trojan-activity; sid:26702; rev:1; service:http; )
00224 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - Win"; flow:to_server,established; http_header; content:"User-Agent|3A| Win|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/6142f9c4ac27a3f5676c625d685e4ad500eaed2d936564b84fe5c0251e581701/analysis/; classtype:trojan-activity; sid:26702; rev:1; service:http; )
00225 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain - Backdoor Rbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|07o|05|no-ip|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/bee6e4bb1aba3934388948b48c59068fac3bf467ea9bde8d043ee6481a4d8431/analysis/1369236935/; classtype:trojan-activity; sid:26718; rev:1; service:dns; )
00225 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain - Backdoor Rbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|07o|05|no-ip|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/bee6e4bb1aba3934388948b48c59068fac3bf467ea9bde8d043ee6481a4d8431/analysis/1369236935/; classtype:trojan-activity; sid:26718; rev:1; service:dns; )
00226 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - msctls_progress32"; flow:to_server,established; http_header; content:"User-Agent|3A| msctls_progress32|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/0b88db0c00910a9f018189a01bb9ab2b166cf16f73930d96e519281d6c5b3001/analysis/; classtype:trojan-activity; sid:26751; rev:1; service:http; )
00226 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - msctls_progress32"; flow:to_server,established; http_header; content:"User-Agent|3A| msctls_progress32|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/0b88db0c00910a9f018189a01bb9ab2b166cf16f73930d96e519281d6c5b3001/analysis/; classtype:trojan-activity; sid:26751; rev:1; service:http; )
00227 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain vseforyou.ru - Cridex Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|vseforyou|02|ru|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26781; rev:1; service:dns; )
00227 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain vseforyou.ru - Cridex Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|vseforyou|02|ru|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26781; rev:1; service:dns; )
00228 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain commorgan.ru - Cridex Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|commorgan|02|ru|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26782; rev:1; service:dns; )
00228 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain commorgan.ru - Cridex Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|commorgan|02|ru|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26782; rev:1; service:dns; )
00229 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www.silobiancer.com - Win.Trojan.Rombrast Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0B|silobiancer|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26913; rev:1; service:dns; )
00229 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain www.silobiancer.com - Win.Trojan.Rombrast Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0B|silobiancer|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26913; rev:1; service:dns; )
00230 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain goliyonzo.pw - BackDoor Comet"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|goliyonzo|02|pw|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,mwanalysis.org/?page=report&analysisid=2156196&password=gtrcgbtwhh; reference:url,www.virustotal.com/en/file/b2e7148311c223519042ba38e1ef8a48061645d5bdcadf9763386ad92fcc2654/analysis/; classtype:trojan-activity; sid:26914; rev:1; service:dns; )
00230 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain goliyonzo.pw - BackDoor Comet"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|goliyonzo|02|pw|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,mwanalysis.org/?page=report&analysisid=2156196&password=gtrcgbtwhh; reference:url,www.virustotal.com/en/file/b2e7148311c223519042ba38e1ef8a48061645d5bdcadf9763386ad92fcc2654/analysis/; classtype:trojan-activity; sid:26914; rev:1; service:dns; )
00231 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain zalil.ru - Kazy Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|zalil|02|ru|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,mwanalysis.org/?page=report&analysisid=2156195&password=ykndnbluja; reference:url,www.virustotal.com/en/file/22ecaeec7bf54ac3bb8deecd092447c8d62e8e4a928dcaada0348b08db2d1f94/analysis/; classtype:trojan-activity; sid:26915; rev:1; service:dns; )
00231 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain zalil.ru - Kazy Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|zalil|02|ru|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,mwanalysis.org/?page=report&analysisid=2156195&password=ykndnbluja; reference:url,www.virustotal.com/en/file/22ecaeec7bf54ac3bb8deecd092447c8d62e8e4a928dcaada0348b08db2d1f94/analysis/; classtype:trojan-activity; sid:26915; rev:1; service:dns; )
00232 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain soywey.sin-ip.es - Palevo Botnet"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|soywey|06|sin-ip|02|es|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/218bf5badb5658d06b14d376c92834622b6a171dde9fa8dded755d9fd54c4dae/analysis/; classtype:trojan-activity; sid:26916; rev:1; service:dns; )
00232 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain soywey.sin-ip.es - Palevo Botnet"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|soywey|06|sin-ip|02|es|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/218bf5badb5658d06b14d376c92834622b6a171dde9fa8dded755d9fd54c4dae/analysis/; classtype:trojan-activity; sid:26916; rev:1; service:dns; )
00233 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain bigmack.opendns.be - Palevo Botnet"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|bigmack|07|opendns|02|be|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.mywot.com/en/scorecard/bigmack.opendns.be?page=3; classtype:trojan-activity; sid:26917; rev:1; service:dns; )
00233 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain bigmack.opendns.be - Palevo Botnet"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|bigmack|07|opendns|02|be|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.mywot.com/en/scorecard/bigmack.opendns.be?page=3; classtype:trojan-activity; sid:26917; rev:1; service:dns; )
00234 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain trafficconverter.biz - ChronoPay"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|trafficconverter|03|biz|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,krebsonsecurity.com/2011/03/chronopays-scareware-diaries/#more-8331; classtype:trojan-activity; sid:26918; rev:1; service:dns; )
00234 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain trafficconverter.biz - ChronoPay"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|trafficconverter|03|biz|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,krebsonsecurity.com/2011/03/chronopays-scareware-diaries/#more-8331; classtype:trojan-activity; sid:26918; rev:1; service:dns; )
00235 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain kjwre9fqwieluoi.info - W32.Sality"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kjwre9fqwieluoi|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.threatexpert.com/report.aspx?md5=7abf56a5fbced892d2bdbe1fcbff233a; classtype:trojan-activity; sid:26919; rev:1; service:dns; )
00235 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain kjwre9fqwieluoi.info - W32.Sality"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kjwre9fqwieluoi|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.threatexpert.com/report.aspx?md5=7abf56a5fbced892d2bdbe1fcbff233a; classtype:trojan-activity; sid:26919; rev:1; service:dns; )
00236 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain kukutrustnet777.info - W32.Sality"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kukutrustnet777|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.threatexpert.com/report.aspx?md5=7abf56a5fbced892d2bdbe1fcbff233a; classtype:trojan-activity; sid:26920; rev:1; service:dns; )
00236 alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"BLACKLIST DNS request for known malware domain kukutrustnet777.info - W32.Sality"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kukutrustnet777|04|info|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.threatexpert.com/report.aspx?md5=7abf56a5fbced892d2bdbe1fcbff233a; classtype:trojan-activity; sid:26920; rev:1; service:dns; )
00237 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain memo-stat.com - Htbot"; flow:to_server; content:"|09|memo-stat|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,malwr.com/analysis/MTNlMDg4ZTQwZjU2NDUxM2EwZDNlYzllNjZkMjRkNDI/; reference:url,www.virustotal.com/en/file/36802c72d1d5addc87d16688dcb37b680fd48f832fa7b93c15cf4f426aa3f0a7/analysis/; classtype:trojan-activity; sid:27043; rev:1; service:dns; )
00237 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain memo-stat.com - Htbot"; flow:to_server; content:"|09|memo-stat|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,malwr.com/analysis/MTNlMDg4ZTQwZjU2NDUxM2EwZDNlYzllNjZkMjRkNDI/; reference:url,www.virustotal.com/en/file/36802c72d1d5addc87d16688dcb37b680fd48f832fa7b93c15cf4f426aa3f0a7/analysis/; classtype:trojan-activity; sid:27043; rev:1; service:dns; )
00238 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain twinkcam.net - W32/Kryptik"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|twinkcam|03|net|00|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,threatpost.com/nsa-whistleblower-article-redirects-to-malware; reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899638f4318c09eaa56401821/analysis/1373466967/; classtype:trojan-activity; sid:27180; rev:1; service:dns; )
00238 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain twinkcam.net - W32/Kryptik"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|twinkcam|03|net|00|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,threatpost.com/nsa-whistleblower-article-redirects-to-malware; reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899638f4318c09eaa56401821/analysis/1373466967/; classtype:trojan-activity; sid:27180; rev:1; service:dns; )
00239 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain cinnamyn.com - W32/Kryptik"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|cinnamyn|03|com|00|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,threatpost.com/nsa-whistleblower-article-redirects-to-malware; reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899638f4318c09eaa56401821/analysis/1373466967/; classtype:trojan-activity; sid:27181; rev:1; service:dns; )
00239 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain cinnamyn.com - W32/Kryptik"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|cinnamyn|03|com|00|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,threatpost.com/nsa-whistleblower-article-redirects-to-malware; reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899638f4318c09eaa56401821/analysis/1373466967/; classtype:trojan-activity; sid:27181; rev:1; service:dns; )
00240 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain restless.ru - Gamarue Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|restless|02|su|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e8b3a4194f7d248f15ca515/analysis/; classtype:trojan-activity; sid:27247; rev:1; service:dns; )
00240 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain restless.ru - Gamarue Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|restless|02|su|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e8b3a4194f7d248f15ca515/analysis/; classtype:trojan-activity; sid:27247; rev:1; service:dns; )
00241 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - yahoonews"; flow:to_server,established; http_header; content:"User-Agent|3A| yahoonews|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/49608d016caf8dc31e95e01bd76cc4ac3f37df47b1299931f872e67a4ec80fa3/analysis/; classtype:trojan-activity; sid:27263; rev:1; service:http; )
00241 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLACKLIST User-Agent known malicious user agent - yahoonews"; flow:to_server,established; http_header; content:"User-Agent|3A| yahoonews|0D 0A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/49608d016caf8dc31e95e01bd76cc4ac3f37df47b1299931f872e67a4ec80fa3/analysis/; classtype:trojan-activity; sid:27263; rev:1; service:http; )
00242 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain ohtheigh.cc - Foreign-R Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|ohtheigh|02|cc|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Foreign-R/detailed-analysis.aspx; reference:url,www.virustotal.com/en/file/787cf06f029d8f79ed375aef13d18301541d73a56b4415da433833b8dae27b63/analysis/1374765802/; classtype:trojan-activity; sid:27537; rev:1; service:dns; )
00242 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain ohtheigh.cc - Foreign-R Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|ohtheigh|02|cc|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service dns; reference:url,secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Foreign-R/detailed-analysis.aspx; reference:url,www.virustotal.com/en/file/787cf06f029d8f79ed375aef13d18301541d73a56b4415da433833b8dae27b63/analysis/1374765802/; classtype:trojan-activity; sid:27537; rev:1; service:dns; )
00243 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain prospexleads.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|prospexleads|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27559; rev:1; service:dns; )
00243 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain prospexleads.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|prospexleads|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27559; rev:1; service:dns; )
00244 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain phonebillssuck.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|phonebillssuck|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27560; rev:1; service:dns; )
00244 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain phonebillssuck.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|phonebillssuck|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27560; rev:1; service:dns; )
00245 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain myimpactblog.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|myimpactblog|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27561; rev:1; service:dns; )
00245 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain myimpactblog.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|myimpactblog|03|com|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27561; rev:1; service:dns; )
00246 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fixingsocialsecurity.org - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|14|fixingsocialsecurity|03|org|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27562; rev:1; service:dns; )
00246 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain fixingsocialsecurity.org - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|14|fixingsocialsecurity|03|org|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27562; rev:1; service:dns; )
00247 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain keurslager-demeulder.be - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|14|keurslager-demeulder|02|be|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27563; rev:1; service:dns; )
00247 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain keurslager-demeulder.be - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|14|keurslager-demeulder|02|be|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27563; rev:1; service:dns; )
00248 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain ftp.sigmasolutions.gr - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ftp|0E|sigmasolutions|02|gr|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27564; rev:1; service:dns; )
00248 alert udp $HOME_NET any -> any 53 ( msg:"BLACKLIST DNS request for known malware domain ftp.sigmasolutions.gr - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ftp|0E|sigmasolutions|02|gr|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service dns; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27564; rev:1; service:dns; )
00249 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-CHROME Google Chrome GURL cross origin bypass attempt - 1"; flow:to_client,established; file_data; content:"src=|22|https|3A 2F 2F|www.google.com|2F|accounts|2F|ManageAccount?hl=fr|22|"; content:"javascr|5C|u0009ipt|3A|alert|28|document.cookie"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39813; reference:cve,2010-1663; classtype:attempted-user; sid:16667; rev:4; service:http; )
00249 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-CHROME Google Chrome GURL cross origin bypass attempt - 1"; flow:to_client,established; file_data; content:"src=|22|https|3A 2F 2F|www.google.com|2F|accounts|2F|ManageAccount?hl=fr|22|"; content:"javascr|5C|u0009ipt|3A|alert|28|document.cookie"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39813; reference:cve,2010-1663; classtype:attempted-user; sid:16667; rev:4; service:http; )
00250 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-CHROME Google Chrome GURL cross origin bypass attempt - 2"; flow:to_client,established; file_data; content:"src=|22|http|3A 2F 2F|www.google.ca|2F|language_tools?hl=en|22|"; content:"window.open|28 27|j|5C|navascript|3A|alert|28|document.cookie|29 27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39813; reference:cve,2010-1663; classtype:attempted-user; sid:16668; rev:3; service:http; )
00250 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-CHROME Google Chrome GURL cross origin bypass attempt - 2"; flow:to_client,established; file_data; content:"src=|22|http|3A 2F 2F|www.google.ca|2F|language_tools?hl=en|22|"; content:"window.open|28 27|j|5C|navascript|3A|alert|28|document.cookie|29 27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39813; reference:cve,2010-1663; classtype:attempted-user; sid:16668; rev:3; service:http; )
00251 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-CHROME Google Chrome float rendering corruption attempt"; flow:to_client,established; file_data; content:"display: list-item"; content:"display: -webkit-inline-box"; content:"removeChild|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1804; classtype:attempted-user; sid:19710; rev:5; service:http; )
00251 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-CHROME Google Chrome float rendering corruption attempt"; flow:to_client,established; file_data; content:"display: list-item"; content:"display: -webkit-inline-box"; content:"removeChild|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1804; classtype:attempted-user; sid:19710; rev:5; service:http; )
00252 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt"; flow:to_client, established; file_data; content:"first-letter",nocase; content:"direction",distance 0,nocase; content:"rtl",within 8; content:"whitespace |3D| ",distance 0,nocase; content:"pre",within 10,nocase; content:"|3C|span",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35326; reference:cve,2009-1392; classtype:attempted-user; sid:17613; rev:5; service:http; )
00252 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt"; flow:to_client, established; file_data; content:"first-letter",nocase; content:"direction",distance 0,nocase; content:"rtl",within 8; content:"whitespace |3D| ",distance 0,nocase; content:"pre",within 10,nocase; content:"|3C|span",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35326; reference:cve,2009-1392; classtype:attempted-user; sid:17613; rev:5; service:http; )
00253 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt"; flow:to_client,established; file_data; content:"cobj|2E|id=|22|testcase|22|",fast_pattern,nocase; content:"document|2E|body|2E|appendChild|28|cobj|29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3765; classtype:attempted-user; sid:19292; rev:4; service:http; )
00253 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt"; flow:to_client,established; file_data; content:"cobj|2E|id=|22|testcase|22|",fast_pattern,nocase; content:"document|2E|body|2E|appendChild|28|cobj|29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3765; classtype:attempted-user; sid:19292; rev:4; service:http; )
00254 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript handler race condition memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E|",depth 70; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19488; reference:cve,2006-4253; classtype:attempted-user; sid:18486; rev:3; service:http; )
00254 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript handler race condition memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E|",depth 70; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19488; reference:cve,2006-4253; classtype:attempted-user; sid:18486; rev:3; service:http; )
00255 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript handler race condition memory corruption attempt"; flow:to_client,established; file_data; content:"|3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19488; reference:cve,2006-4253; classtype:attempted-user; sid:18485; rev:3; service:http; )
00255 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript handler race condition memory corruption attempt"; flow:to_client,established; file_data; content:"|3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19488; reference:cve,2006-4253; classtype:attempted-user; sid:18485; rev:3; service:http; )
00256 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox new function garbage collection remote code execution attempt"; flow:to_client,established; file_data; content:"try|20 7B 20|eval|28|e|2B 27 28|buf|2C|buf|29 27 29 3B 20 7D|"; content:"try|20 7B 20|eval|28|e|2B 27 28|buf|2C|buf|2C|buf|29 27 29 3B 20 7D|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19181; reference:cve,2006-3803; classtype:attempted-user; sid:18302; rev:3; service:http; )
00256 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox new function garbage collection remote code execution attempt"; flow:to_client,established; file_data; content:"try|20 7B 20|eval|28|e|2B 27 28|buf|2C|buf|29 27 29 3B 20 7D|"; content:"try|20 7B 20|eval|28|e|2B 27 28|buf|2C|buf|2C|buf|29 27 29 3B 20 7D|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19181; reference:cve,2006-3803; classtype:attempted-user; sid:18302; rev:3; service:http; )
00257 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox GeckoActiveXObject memory corruption attempt"; flow:to_client,established; file_data; content:"str|2B 3D|str|3B|"; content:"window.GeckoActiveXObject|28|str|29 3B|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19181; reference:cve,2006-3803; classtype:attempted-user; sid:18301; rev:3; service:http; )
00257 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox GeckoActiveXObject memory corruption attempt"; flow:to_client,established; file_data; content:"str|2B 3D|str|3B|"; content:"window.GeckoActiveXObject|28|str|29 3B|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19181; reference:cve,2006-3803; classtype:attempted-user; sid:18301; rev:3; service:http; )
00258 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript deleted frame or window reference attempt"; flow:to_client,established; file_data; content:"editEl|20 3D 20|window|2E|el|3B|"; content:"editEl|2E|innerHTML|20 3D 20|value|3B|",distance 0; content:"editEl|2E|disabled|20 3D 20|false|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-3801; reference:url,osvdb.org/show/osvdb/27558; classtype:attempted-user; sid:18263; rev:3; service:http; )
00258 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript deleted frame or window reference attempt"; flow:to_client,established; file_data; content:"editEl|20 3D 20|window|2E|el|3B|"; content:"editEl|2E|innerHTML|20 3D 20|value|3B|",distance 0; content:"editEl|2E|disabled|20 3D 20|false|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-3801; reference:url,osvdb.org/show/osvdb/27558; classtype:attempted-user; sid:18263; rev:3; service:http; )
00259 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript engine function arguments memory corruption attempt"; flow:to_client,established; file_data; content:"|3B|i<25|3B|i++|29| fe += fe|3B|"; content:"fu=new Function|28 0A|"; content:"fe, fe, fe, fe, fe, fe, fe,",within 30; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19181; reference:cve,2006-3806; classtype:attempted-user; sid:18262; rev:3; service:http; )
00259 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript engine function arguments memory corruption attempt"; flow:to_client,established; file_data; content:"|3B|i<25|3B|i++|29| fe += fe|3B|"; content:"fu=new Function|28 0A|"; content:"fe, fe, fe, fe, fe, fe, fe,",within 30; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19181; reference:cve,2006-3806; classtype:attempted-user; sid:18262; rev:3; service:http; )
00260 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript engine String.toSource memory corruption attempt"; flow:to_client,established; file_data; content:"var rr=",nocase; content:".toSource|28 29 3B|",within 12,distance 1; content:"for|28|i=0|3B|i<1024|2A|1024|3B|i++|29| meg += |22|v|22 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19181; reference:cve,2006-3806; classtype:attempted-user; sid:18261; rev:3; service:http; )
00260 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript engine String.toSource memory corruption attempt"; flow:to_client,established; file_data; content:"var rr=",nocase; content:".toSource|28 29 3B|",within 12,distance 1; content:"for|28|i=0|3B|i<1024|2A|1024|3B|i++|29| meg += |22|v|22 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19181; reference:cve,2006-3806; classtype:attempted-user; sid:18261; rev:3; service:http; )
00261 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox InstallTrigger.install memory corruption attempt"; flow:to_client,established; file_data; content:"InstallTrigger.install.call|28|document|2C 22|a|22 2C 22|a|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17516; reference:cve,2006-1790; classtype:attempted-user; sid:18187; rev:3; service:http; )
00261 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox InstallTrigger.install memory corruption attempt"; flow:to_client,established; file_data; content:"InstallTrigger.install.call|28|document|2C 22|a|22 2C 22|a|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17516; reference:cve,2006-1790; classtype:attempted-user; sid:18187; rev:3; service:http; )
00262 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox PKCS11 module installation code execution attempt"; flow:to_client,established; file_data; content:"window.pkcs11.addmodule|28|"; pcre:"/(caption,\x22\x5c\x5c\x5c|\x22\x5cn\x5cn\x5cn\x22\x20\x2b\x20str)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36343; reference:cve,2009-3076; classtype:attempted-user; sid:16142; rev:4; service:http; )
00262 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox PKCS11 module installation code execution attempt"; flow:to_client,established; file_data; content:"window.pkcs11.addmodule|28|"; pcre:"/(caption,\x22\x5c\x5c\x5c|\x22\x5cn\x5cn\x5cn\x22\x20\x2b\x20str)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36343; reference:cve,2009-3076; classtype:attempted-user; sid:16142; rev:4; service:http; )
00263 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox ClearTextRun exploit attempt"; flow:to_client,established; file_data; content:"white-space|3A| pre"; content:"getElementById|28|'para'|29|.childNodes[0].splitText|28|11|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34743; reference:cve,2009-1313; classtype:attempted-user; sid:17719; rev:3; service:http; )
00263 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox ClearTextRun exploit attempt"; flow:to_client,established; file_data; content:"white-space|3A| pre"; content:"getElementById|28|'para'|29|.childNodes[0].splitText|28|11|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34743; reference:cve,2009-1313; classtype:attempted-user; sid:17719; rev:3; service:http; )
00264 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox IFRAME style change handling code execution"; flow:to_client,established; file_data; content:"contentDocument.designMode",nocase; content:"addEvenListener|28|",distance 0,nocase; content:"iframe.style.position",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28448; reference:cve,2008-1236; reference:url,secunia.com/advisories/29526; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-15.html; classtype:attempted-user; sid:17570; rev:3; service:http; )
00264 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox IFRAME style change handling code execution"; flow:to_client,established; file_data; content:"contentDocument.designMode",nocase; content:"addEvenListener|28|",distance 0,nocase; content:"iframe.style.position",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28448; reference:cve,2008-1236; reference:url,secunia.com/advisories/29526; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-15.html; classtype:attempted-user; sid:17570; rev:3; service:http; )
00265 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox UTF-8 URL Handling Stack Buffer Overflow"; flow:to_client,established; file_data; content:"<a href=|22 01 78 78|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31346; reference:cve,2008-0016; classtype:attempted-user; sid:17519; rev:4; service:http; )
00265 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox UTF-8 URL Handling Stack Buffer Overflow"; flow:to_client,established; file_data; content:"<a href=|22 01 78 78|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31346; reference:cve,2008-0016; classtype:attempted-user; sid:17519; rev:4; service:http; )
00266 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox JIT escape function memory corruption attempt"; flow:to_client,established; file_data; content:"=data.charAt("; content:"function",nocase; content:"(data)",within 50,nocase; content:"if(",distance 0,nocase; content:"=='",within 125; content:"'",within 1,distance 1; content:" = escape(",within 135; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35660; reference:cve,2009-2477; reference:url,www.kb.cert.org/vuls/id/443060; classtype:attempted-user; sid:15997; rev:6; service:http; )
00266 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox JIT escape function memory corruption attempt"; flow:to_client,established; file_data; content:"=data.charAt("; content:"function",nocase; content:"(data)",within 50,nocase; content:"if(",distance 0,nocase; content:"=='",within 125; content:"'",within 1,distance 1; content:" = escape(",within 135; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35660; reference:cve,2009-2477; reference:url,www.kb.cert.org/vuls/id/443060; classtype:attempted-user; sid:15997; rev:6; service:http; )
00267 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt"; flow:to_client,established; file_data; content:"|3A|first-letter {float|3A| ",fast_pattern; content:".setAttribute|28|'style', 'display|3A| -moz-box|3B| '|29 3B|"; content:".style.display= 'none'|3B|",within 60; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36866; reference:cve,2009-3382; classtype:attempted-user; sid:16347; rev:3; service:http; )
00267 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt"; flow:to_client,established; file_data; content:"|3A|first-letter {float|3A| ",fast_pattern; content:".setAttribute|28|'style', 'display|3A| -moz-box|3B| '|29 3B|"; content:".style.display= 'none'|3B|",within 60; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36866; reference:cve,2009-3382; classtype:attempted-user; sid:16347; rev:3; service:http; )
00268 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox ClearTextRun exploit attempt"; flow:to_client,established; file_data; content:"white-space|3A| pre"; content:"<script>|0A|function doe|28 29|"; content:"getElementById|28|'a'|29|.childNodes[0].splitText|28|1|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34743; reference:cve,2009-1313; classtype:attempted-user; sid:16284; rev:3; service:http; )
00268 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox ClearTextRun exploit attempt"; flow:to_client,established; file_data; content:"white-space|3A| pre"; content:"<script>|0A|function doe|28 29|"; content:"getElementById|28|'a'|29|.childNodes[0].splitText|28|1|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34743; reference:cve,2009-1313; classtype:attempted-user; sid:16284; rev:3; service:http; )
00269 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 3.5 unicode stack overflow attempt"; flow:to_client,established; file_data; content:"i = Math.ceil(Math.log(num) / Math.LN2),"; content:"return res.slice(0, str.length * num)"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35707; reference:cve,2009-2479; classtype:attempted-user; sid:15699; rev:8; service:http; )
00269 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 3.5 unicode stack overflow attempt"; flow:to_client,established; file_data; content:"i = Math.ceil(Math.log(num) / Math.LN2),"; content:"return res.slice(0, str.length * num)"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35707; reference:cve,2009-2479; classtype:attempted-user; sid:15699; rev:8; service:http; )
00270 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox XBL Event Handler Tags Removal memory corruption attempt"; flow:to_client,established; file_data; content:"XUL_NS"; content:"child.parentNode.removeChild",distance 0; content:"onselect=|22|deleteChild|28|event.originalTarget|29|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26132; reference:cve,2007-5339; classtype:attempted-user; sid:15383; rev:3; service:http; )
00270 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox XBL Event Handler Tags Removal memory corruption attempt"; flow:to_client,established; file_data; content:"XUL_NS"; content:"child.parentNode.removeChild",distance 0; content:"onselect=|22|deleteChild|28|event.originalTarget|29|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26132; reference:cve,2007-5339; classtype:attempted-user; sid:15383; rev:3; service:http; )
00271 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt"; flow:to_client,established; file_data; content:"|2E|view|2E|selection",nocase; content:"|2E|invalidateSelection",distance 0,nocase; pcre:"/\x2Eview\x2Eselection.*?\x2Etree\s*\x3D\s*null.*?\x2Einvalidate/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-0073; reference:url,www.mozilla.org/security/announce/2011/mfsa2011-13.html; classtype:attempted-user; sid:20072; rev:2; service:http; )
00271 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt"; flow:to_client,established; file_data; content:"|2E|view|2E|selection",nocase; content:"|2E|invalidateSelection",distance 0,nocase; pcre:"/\x2Eview\x2Eselection.*?\x2Etree\s*\x3D\s*null.*?\x2Einvalidate/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-0073; reference:url,www.mozilla.org/security/announce/2011/mfsa2011-13.html; classtype:attempted-user; sid:20072; rev:2; service:http; )
00272 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption"; flow:to_client,established; file_data; content:"var tags = new Array|28 22|audio|22|, |22|a|22|, |22|base|22 29|",nocase; content:"var html = |22|<|22| + tags[i] + |22| |22| + atts[j]",distance 0,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3765; classtype:attempted-user; sid:17804; rev:6; service:http; )
00272 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption"; flow:to_client,established; file_data; content:"var tags = new Array|28 22|audio|22|, |22|a|22|, |22|base|22 29|",nocase; content:"var html = |22|<|22| + tags[i] + |22| |22| + atts[j]",distance 0,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3765; classtype:attempted-user; sid:17804; rev:6; service:http; )
00273 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based"; flow:to_client,established; file_data; content:"wOFFOTTO"; content:"|00 00|",within 2,distance 6; pcre:"/^.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/isR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38298; reference:cve,2010-1028; reference:url,www.kb.cert.org/vuls/id/964549; classtype:attempted-user; sid:16502; rev:3; service:http; )
00273 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based"; flow:to_client,established; file_data; content:"wOFFOTTO"; content:"|00 00|",within 2,distance 6; pcre:"/^.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/isR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38298; reference:cve,2010-1028; reference:url,www.kb.cert.org/vuls/id/964549; classtype:attempted-user; sid:16502; rev:3; service:http; )
00274 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - TrueType"; flow:to_client,established; file_data; content:"wOFF|00 01 00 00|"; content:"|00 00|",within 2,distance 6; pcre:"/^.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/isR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38298; reference:cve,2010-1028; reference:url,www.kb.cert.org/vuls/id/964549; classtype:attempted-user; sid:16501; rev:3; service:http; )
00274 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - TrueType"; flow:to_client,established; file_data; content:"wOFF|00 01 00 00|"; content:"|00 00|",within 2,distance 6; pcre:"/^.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/isR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38298; reference:cve,2010-1028; reference:url,www.kb.cert.org/vuls/id/964549; classtype:attempted-user; sid:16501; rev:3; service:http; )
00275 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox ConstructFrame with floating first-letter memory corruption attempt"; flow:to_client,established; file_data; content:"first-letter",nocase; content:"float: right",distance 0,nocase; content:"parentNode.removeAttribute(|22|class|22|)"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35765; reference:cve,2009-2462; classtype:attempted-user; sid:17642; rev:5; service:http; )
00275 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox ConstructFrame with floating first-letter memory corruption attempt"; flow:to_client,established; file_data; content:"first-letter",nocase; content:"float: right",distance 0,nocase; content:"parentNode.removeAttribute(|22|class|22|)"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35765; reference:cve,2009-2462; classtype:attempted-user; sid:17642; rev:5; service:http; )
00276 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript array.splice memory corruption attempt"; flow:to_client,established; file_data; content:"a|5B|6|5D 20 3D 20 22|toto|22 3B|"; content:"a|2E|splice|28|6|2C 20|1|29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33990; reference:cve,2009-0773; classtype:attempted-user; sid:17399; rev:3; service:http; )
00276 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript array.splice memory corruption attempt"; flow:to_client,established; file_data; content:"a|5B|6|5D 20 3D 20 22|toto|22 3B|"; content:"a|2E|splice|28|6|2C 20|1|29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33990; reference:cve,2009-0773; classtype:attempted-user; sid:17399; rev:3; service:http; )
00277 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript array.splice memory corruption attempt"; flow:to_client,established; file_data; content:"a|5B|10|5D 20 3D 20 22|AAAAAAAAAA|22 3B|"; content:"a|2E|splice|28|10|2C 20|1|29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33990; reference:cve,2009-0773; classtype:attempted-user; sid:17398; rev:3; service:http; )
00277 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript array.splice memory corruption attempt"; flow:to_client,established; file_data; content:"a|5B|10|5D 20 3D 20 22|AAAAAAAAAA|22 3B|"; content:"a|2E|splice|28|10|2C 20|1|29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33990; reference:cve,2009-0773; classtype:attempted-user; sid:17398; rev:3; service:http; )
00278 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox XUL tree element code execution attempt"; flow:to_client,established; file_data; content:"selection|2E|timedSelect|28|1|2C|8000|29 3B|"; content:"tree|2E|view|2E|selection|3D|null|3B|",distance 0; content:"delete|20|tree",distance 0; content:"delete|20|selection"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34181; reference:cve,2009-1044; classtype:attempted-user; sid:17258; rev:3; service:http; )
00278 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox XUL tree element code execution attempt"; flow:to_client,established; file_data; content:"selection|2E|timedSelect|28|1|2C|8000|29 3B|"; content:"tree|2E|view|2E|selection|3D|null|3B|",distance 0; content:"delete|20|tree",distance 0; content:"delete|20|selection"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34181; reference:cve,2009-1044; classtype:attempted-user; sid:17258; rev:3; service:http; )
00279 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt"; flow:to_client,established; file_data; content:"type=",nocase; content:"file",within 7,distance 1,nocase; content:"getElement",nocase; pcre:"/var\s*(?P<varname>[^\s]*)\s*\x3d\s*[^\x2E]*\x2EgetElement[^\x28]*\x28(\x22|\x27)(?P<elementid>[^\x22\x27]*)(\x22|\x27)\x29.*(?P=varname)\x2etype\s*\x3D\s*(\x22|\x27)(?!file).*id\s*\x3d\s*(\x22|\x27)(?P=elementid)[^>]*type\s*=\s*(\x22|\x27)file/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32281; reference:cve,2008-5021; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-55.html; classtype:attempted-user; sid:17603; rev:3; service:http; )
00279 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt"; flow:to_client,established; file_data; content:"type=",nocase; content:"file",within 7,distance 1,nocase; content:"getElement",nocase; pcre:"/var\s*(?P<varname>[^\s]*)\s*\x3d\s*[^\x2E]*\x2EgetElement[^\x28]*\x28(\x22|\x27)(?P<elementid>[^\x22\x27]*)(\x22|\x27)\x29.*(?P=varname)\x2etype\s*\x3D\s*(\x22|\x27)(?!file).*id\s*\x3d\s*(\x22|\x27)(?P=elementid)[^>]*type\s*=\s*(\x22|\x27)file/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32281; reference:cve,2008-5021; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-55.html; classtype:attempted-user; sid:17603; rev:3; service:http; )
00280 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xul; file_data; content:"style="; content:"<treechildren",nocase; content:"<treechildren",distance 0,nocase; content:"ordinal"; content:"event.target.parentNode.removeChild"; pcre:"/onoverflow\s*?=\s*?(\x22|\x27)\s*?event\.target\.parentNode\.removeChild/smi"; pcre:"/<treechildren.*?ordinal=.*?<treechildren/smi"; pcre:"/<tree.*?tree(?!children).*?<treechildren.*?<treechildren/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,32281; reference:cve,2008-5016; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-52.html; classtype:attempted-user; sid:17601; rev:9; service:http; service:imap; service:pop3; )
00280 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xul; file_data; content:"style="; content:"<treechildren",nocase; content:"<treechildren",distance 0,nocase; content:"ordinal"; content:"event.target.parentNode.removeChild"; pcre:"/onoverflow\s*?=\s*?(\x22|\x27)\s*?event\.target\.parentNode\.removeChild/smi"; pcre:"/<treechildren.*?ordinal=.*?<treechildren/smi"; pcre:"/<tree.*?tree(?!children).*?<treechildren.*?<treechildren/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,32281; reference:cve,2008-5016; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-52.html; classtype:attempted-user; sid:17601; rev:9; service:http; service:imap; service:pop3; )
00280 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xul; file_data; content:"style="; content:"<treechildren",nocase; content:"<treechildren",distance 0,nocase; content:"ordinal"; content:"event.target.parentNode.removeChild"; pcre:"/onoverflow\s*?=\s*?(\x22|\x27)\s*?event\.target\.parentNode\.removeChild/smi"; pcre:"/<treechildren.*?ordinal=.*?<treechildren/smi"; pcre:"/<tree.*?tree(?!children).*?<treechildren.*?<treechildren/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,32281; reference:cve,2008-5016; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-52.html; classtype:attempted-user; sid:17601; rev:9; service:http; service:imap; service:pop3; )
00280 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xul; file_data; content:"style="; content:"<treechildren",nocase; content:"<treechildren",distance 0,nocase; content:"ordinal"; content:"event.target.parentNode.removeChild"; pcre:"/onoverflow\s*?=\s*?(\x22|\x27)\s*?event\.target\.parentNode\.removeChild/smi"; pcre:"/<treechildren.*?ordinal=.*?<treechildren/smi"; pcre:"/<tree.*?tree(?!children).*?<treechildren.*?<treechildren/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,32281; reference:cve,2008-5016; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-52.html; classtype:attempted-user; sid:17601; rev:9; service:http; service:imap; service:pop3; )
00281 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox IFRAME style change handling code execution"; flow:to_client,established; file_data; content:"iframe",nocase; content:"iframe.contentDocument.designMode",nocase; content:"addEventListener",nocase; pcre:"/addEventListener\s*\(\s*(?P<q>\x22|\x27|)(mouse(move|down)|keydown)(?P=q)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28448; reference:cve,2008-1236; reference:url,secunia.com/advisories/29526; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-15.html; classtype:attempted-user; sid:13838; rev:7; service:http; )
00281 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox IFRAME style change handling code execution"; flow:to_client,established; file_data; content:"iframe",nocase; content:"iframe.contentDocument.designMode",nocase; content:"addEventListener",nocase; pcre:"/addEventListener\s*\(\s*(?P<q>\x22|\x27|)(mouse(move|down)|keydown)(?P=q)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28448; reference:cve,2008-1236; reference:url,secunia.com/advisories/29526; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-15.html; classtype:attempted-user; sid:13838; rev:7; service:http; )
00282 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt"; flow:to_client,established; file_data; content:"<xsl|3A|key name=|22|label|22| match=|22|item2|22| use=|22|w00t|28 29 22|/>"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:bugtraq,34235; reference:cve,2009-1169; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-12.html; classtype:attempted-user; sid:15431; rev:8; service:http; )
00282 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt"; flow:to_client,established; file_data; content:"<xsl|3A|key name=|22|label|22| match=|22|item2|22| use=|22|w00t|28 29 22|/>"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:bugtraq,34235; reference:cve,2009-1169; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-12.html; classtype:attempted-user; sid:15431; rev:8; service:http; )
00283 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt"; flow:to_client,established; file_data; content:"<xsl|3A|key name=|22|poc|22| match=|22|nodeB|22| use=|22|does_not_exist|28 29 22|/>"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:bugtraq,34235; reference:cve,2009-1169; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-12.html; classtype:attempted-user; sid:17444; rev:6; service:http; )
00283 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt"; flow:to_client,established; file_data; content:"<xsl|3A|key name=|22|poc|22| match=|22|nodeB|22| use=|22|does_not_exist|28 29 22|/>"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:bugtraq,34235; reference:cve,2009-1169; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-12.html; classtype:attempted-user; sid:17444; rev:6; service:http; )
00284 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"a.length=0xffffffff",nocase; content:"a.reduceRight|28|callback|2C|0|29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:19713; rev:2; service:http; )
00284 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"a.length=0xffffffff",nocase; content:"a.reduceRight|28|callback|2C|0|29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:19713; rev:2; service:http; )
00285 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"a.length=0x81000002",nocase; content:"a.reduceRight|28|callback|2C|0|29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:19714; rev:2; service:http; )
00285 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"a.length=0x81000002",nocase; content:"a.reduceRight|28|callback|2C|0|29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:19714; rev:2; service:http; )
00286 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products CSS rendering out-of-bounds array write attempt"; flow:to_client,established; file_data; content:"|25 6E 25 6E 25 6E 25 6E 25 6E 25 6E 22 45 57 49 44 54 48 3D 6C 65 66 74 20 53 49 5A 45 3D 8B 8B 8B 8B 8B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-1739; reference:url,osvdb.org/show/osvdb/24660; classtype:attempted-user; sid:18077; rev:4; service:http; )
00286 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products CSS rendering out-of-bounds array write attempt"; flow:to_client,established; file_data; content:"|25 6E 25 6E 25 6E 25 6E 25 6E 25 6E 22 45 57 49 44 54 48 3D 6C 65 66 74 20 53 49 5A 45 3D 8B 8B 8B 8B 8B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-1739; reference:url,osvdb.org/show/osvdb/24660; classtype:attempted-user; sid:18077; rev:4; service:http; )
00287 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products CSS rendering out-of-bounds array write attempt"; flow:to_client,established; file_data; content:"|3C|HR WIDTH|3D|4444444 COLOR|3D 22 23|000000|22 3E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-1739; reference:url,osvdb.org/show/osvdb/24660; classtype:attempted-user; sid:18078; rev:4; service:http; )
00287 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products CSS rendering out-of-bounds array write attempt"; flow:to_client,established; file_data; content:"|3C|HR WIDTH|3D|4444444 COLOR|3D 22 23|000000|22 3E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-1739; reference:url,osvdb.org/show/osvdb/24660; classtype:attempted-user; sid:18078; rev:4; service:http; )
00288 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products frame comment objects manipulation memory corruption attempt"; flow:to_client,established; file_data; content:"|25|3C|21 2D 2D 25|20Comment|25|20|2D 2D 25|3E|25|3Csvg|25|20xmlns|3D 25|22http|3A 2F 2F|www|2E|w3|2E|org|2F|2000|2F|svg|25|22|25|20version|3D 25|221|2E|1|25|22|25|20baseProfile|3D 25|22full|25|22|25|3E|25|3C|2F|svg|25|3E"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,21668; reference:cve,2006-6504; classtype:attempted-user; sid:18296; rev:3; service:http; )
00288 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products frame comment objects manipulation memory corruption attempt"; flow:to_client,established; file_data; content:"|25|3C|21 2D 2D 25|20Comment|25|20|2D 2D 25|3E|25|3Csvg|25|20xmlns|3D 25|22http|3A 2F 2F|www|2E|w3|2E|org|2F|2000|2F|svg|25|22|25|20version|3D 25|221|2E|1|25|22|25|20baseProfile|3D 25|22full|25|22|25|3E|25|3C|2F|svg|25|3E"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,21668; reference:cve,2006-6504; classtype:attempted-user; sid:18296; rev:3; service:http; )
00289 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt"; flow:to_client,established; file_data; content:"|3C|q style|3D 22|position|3A|relative|3B 22 3E 3C|q style|3D 22|position|3A|relative|3B 22 3E|"; content:"|2E|style|2E|position|3D 27|static|27 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,16476; reference:cve,2006-0294; classtype:attempted-user; sid:18286; rev:3; service:http; )
00289 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt"; flow:to_client,established; file_data; content:"|3C|q style|3D 22|position|3A|relative|3B 22 3E 3C|q style|3D 22|position|3A|relative|3B 22 3E|"; content:"|2E|style|2E|position|3D 27|static|27 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,16476; reference:cve,2006-0294; classtype:attempted-user; sid:18286; rev:3; service:http; )
00290 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products EscapeAttributeValue integer overflow attempt"; flow:to_client,established; file_data; content:"alert|28|xx.toXMLString"; content:"for|28|i=0|3B|i<|28|1024*1024|29|/2|3B|i++|29| m += |22 5C|n|22 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,16476; reference:cve,2006-0297; classtype:attempted-user; sid:18250; rev:3; service:http; )
00290 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products EscapeAttributeValue integer overflow attempt"; flow:to_client,established; file_data; content:"alert|28|xx.toXMLString"; content:"for|28|i=0|3B|i<|28|1024*1024|29|/2|3B|i++|29| m += |22 5C|n|22 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,16476; reference:cve,2006-0297; classtype:attempted-user; sid:18250; rev:3; service:http; )
00291 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products -moz-grid and -moz-grid-group display styles code execution attempt"; flow:to_client,established; file_data; content:"|3C|button onclick|3D 22|document|2E|getElementsByTagName|28 27|row|27 29 5B|0|5D 2E|style|2E|display|3D 27 2D|moz|2D|grid|2D|group|27 22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17516; reference:cve,2006-1738; classtype:attempted-user; sid:18186; rev:4; service:http; )
00291 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products -moz-grid and -moz-grid-group display styles code execution attempt"; flow:to_client,established; file_data; content:"|3C|button onclick|3D 22|document|2E|getElementsByTagName|28 27|row|27 29 5B|0|5D 2E|style|2E|display|3D 27 2D|moz|2D|grid|2D|group|27 22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17516; reference:cve,2006-1738; classtype:attempted-user; sid:18186; rev:4; service:http; )
00292 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products frame comment objects manipulation memory corruption attempt"; flow:to_client,established; file_data; content:"bb.appendChild|28|fr.childNodes[4]|29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,21668; reference:cve,2006-6504; classtype:attempted-user; sid:15999; rev:4; service:http; )
00292 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products frame comment objects manipulation memory corruption attempt"; flow:to_client,established; file_data; content:"bb.appendChild|28|fr.childNodes[4]|29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,21668; reference:cve,2006-6504; classtype:attempted-user; sid:15999; rev:4; service:http; )
00293 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Products SVG Layout Engine Index Parameter memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementById|28 22|path|22 29|.pathSegList.getItem|28|-1|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:15164; rev:4; service:http; )
00293 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Products SVG Layout Engine Index Parameter memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementById|28 22|path|22 29|.pathSegList.getItem|28|-1|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:15164; rev:4; service:http; )
00294 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla multiple products CSSValue array memory corruption attempt"; flow:to_client,established; file_data; content:"counter|2D|reset|3A|"; content:"counter|2D|increment|3A|",distance 0; content:"|3C|ol|20|id|3D 22|id1|22 3E 0A|",distance 0; content:"|3C|li|3E 3C 2F|li|3E 0A 3C|li|3E 3C 2F|li|3E 0A 3C|li|3E 3C 2F|li|3E 0A|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,29802; reference:cve,2008-2785; classtype:attempted-user; sid:17630; rev:3; service:http; )
00294 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla multiple products CSSValue array memory corruption attempt"; flow:to_client,established; file_data; content:"counter|2D|reset|3A|"; content:"counter|2D|increment|3A|",distance 0; content:"|3C|ol|20|id|3D 22|id1|22 3E 0A|",distance 0; content:"|3C|li|3E 3C 2F|li|3E 0A 3C|li|3E 3C 2F|li|3E 0A 3C|li|3E 3C 2F|li|3E 0A|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,29802; reference:cve,2008-2785; classtype:attempted-user; sid:17630; rev:3; service:http; )
00295 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"len = 0xffffffff"; content:".reduceRight"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:24187; rev:1; service:http; )
00295 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"len = 0xffffffff"; content:".reduceRight"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:24187; rev:1; service:http; )
00296 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:".length = 2197815302"; content:".reduceRight"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:24188; rev:1; service:http; )
00296 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:".length = 2197815302"; content:".reduceRight"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:24188; rev:1; service:http; )
00297 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-FIREFOX Mozilla Firefox 3.5 unicode stack overflow attempt"; flow:to_server,established; file_data; content:"i = Math.ceil(Math.log(num) / Math.LN2),"; content:"return res.slice(0, str.length * num)"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,35707; reference:cve,2009-2479; classtype:attempted-user; sid:26188; rev:1; service:smtp; )
00297 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-FIREFOX Mozilla Firefox 3.5 unicode stack overflow attempt"; flow:to_server,established; file_data; content:"i = Math.ceil(Math.log(num) / Math.LN2),"; content:"return res.slice(0, str.length * num)"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,35707; reference:cve,2009-2479; classtype:attempted-user; sid:26188; rev:1; service:smtp; )
00298 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Multiple browser marquee tag denial of service attempt"; flow:to_client,established; file_data; content:"document.write|28 27|<html><marquee><h1>|27|+buffer+buffer|29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,18165; reference:cve,2006-2723; classtype:attempted-dos; sid:18188; rev:4; service:http; )
00298 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Multiple browser marquee tag denial of service attempt"; flow:to_client,established; file_data; content:"document.write|28 27|<html><marquee><h1>|27|+buffer+buffer|29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,18165; reference:cve,2006-2723; classtype:attempted-dos; sid:18188; rev:4; service:http; )
00299 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt"; flow:to_client,established; file_data; content:"readystatechange"; content:"addEventListener"; content:"ArrayBuffer("; content:"Int32Array"; content:"window.stop"; content:!"ArrayBufferView"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1690; reference:url,pastebin.mozilla.org/2777139; classtype:attempted-user; sid:27568; rev:1; service:http; service:imap; service:pop3; )
00299 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt"; flow:to_client,established; file_data; content:"readystatechange"; content:"addEventListener"; content:"ArrayBuffer("; content:"Int32Array"; content:"window.stop"; content:!"ArrayBufferView"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1690; reference:url,pastebin.mozilla.org/2777139; classtype:attempted-user; sid:27568; rev:1; service:http; service:imap; service:pop3; )
00299 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt"; flow:to_client,established; file_data; content:"readystatechange"; content:"addEventListener"; content:"ArrayBuffer("; content:"Int32Array"; content:"window.stop"; content:!"ArrayBufferView"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1690; reference:url,pastebin.mozilla.org/2777139; classtype:attempted-user; sid:27568; rev:1; service:http; service:imap; service:pop3; )
00299 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt"; flow:to_client,established; file_data; content:"readystatechange"; content:"addEventListener"; content:"ArrayBuffer("; content:"Int32Array"; content:"window.stop"; content:!"ArrayBufferView"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1690; reference:url,pastebin.mozilla.org/2777139; classtype:attempted-user; sid:27568; rev:1; service:http; service:imap; service:pop3; )
00300 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer navcancl.htm url spoofing attempt"; flow:to_client,established; file_data; content:"ieframe.dll/navcancl.htm|23|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22966; reference:cve,2007-1499; reference:cve,2007-1752; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:misc-attack; sid:11834; rev:15; service:http; )
00300 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer navcancl.htm url spoofing attempt"; flow:to_client,established; file_data; content:"ieframe.dll/navcancl.htm|23|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22966; reference:cve,2007-1499; reference:cve,2007-1752; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:misc-attack; sid:11834; rev:15; service:http; )
00301 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0A 43 6F 6E 74 65 6E 74 2D 52 61 6E 67 65 3A 0D 09 09 09 09 09 09 09 09 09 0A 0D 0A 20 20|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21993; rev:2; service:http; )
00301 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0A 43 6F 6E 74 65 6E 74 2D 52 61 6E 67 65 3A 0D 09 09 09 09 09 09 09 09 09 0A 0D 0A 20 20|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21993; rev:2; service:http; )
00302 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 20 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0A 43 6F 6E 74 65 6E 74 2D 52 61 6E 67 65 3A 0A 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21992; rev:2; service:http; )
00302 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 20 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0A 43 6F 6E 74 65 6E 74 2D 52 61 6E 67 65 3A 0A 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21992; rev:2; service:http; )
00303 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 2F 2E 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0D 09 0A 0D 0A 20 20|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21991; rev:2; service:http; )
00303 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 2F 2E 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0D 09 0A 0D 0A 20 20|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21991; rev:2; service:http; )
00304 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"Content-Encoding|3A|deflate",nocase; content:"|5C|Content-Range|3A 0D 0A 0D 0A 0D 0A 09| |09 09| |09| |09 09 09 09 09| |09 09| |09| |09 09| |09 09| |09 09 09| |09| |09| |09| |09| |09 09 09| |09 09| |09| |09 09 09| |09| |09| |09| |09 09 09 09 09 09| |09 09| |09|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:16149; rev:7; service:http; )
00304 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"Content-Encoding|3A|deflate",nocase; content:"|5C|Content-Range|3A 0D 0A 0D 0A 0D 0A 09| |09 09| |09| |09 09 09 09 09| |09 09| |09| |09 09| |09 09| |09 09 09| |09| |09| |09| |09| |09 09 09| |09 09| |09| |09 09 09| |09| |09| |09| |09 09 09 09 09 09| |09 09| |09|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:16149; rev:7; service:http; )
00305 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt - unescaped"; flow:to_client,established; file_data; content:"%53%52%43%3d%5c%5c%26%23",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-078; classtype:attempted-user; sid:17401; rev:7; service:http; )
00305 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt - unescaped"; flow:to_client,established; file_data; content:"%53%52%43%3d%5c%5c%26%23",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-078; classtype:attempted-user; sid:17401; rev:7; service:http; )
00306 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer Cross-Domain information disclosure attempt"; flow:to_client,established; file_data; content:"alert|28|myLink.styleSheet.cssText|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43709; reference:cve,2010-3330; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:19411; rev:4; service:http; )
00306 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer Cross-Domain information disclosure attempt"; flow:to_client,established; file_data; content:"alert|28|myLink.styleSheet.cssText|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43709; reference:cve,2010-3330; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:19411; rev:4; service:http; )
00307 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onPropertyChange deleteTable memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementById|28|'colid1'|29 2E|onpropertychange|20|="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37891; reference:cve,2010-0244; classtype:attempted-user; sid:18951; rev:4; service:http; )
00307 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onPropertyChange deleteTable memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementById|28|'colid1'|29 2E|onpropertychange|20|="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37891; reference:cve,2010-0244; classtype:attempted-user; sid:18951; rev:4; service:http; )
00308 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt"; flow:to_client,established; content:"document.writeln|28 28|block.length|2B|memory|5B|0|5D 2E|length|2A|300|29 29 3B|"; content:"child_creator.click|28 29 3B|",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18523; rev:5; service:http; )
00308 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt"; flow:to_client,established; content:"document.writeln|28 28|block.length|2B|memory|5B|0|5D 2E|length|2A|300|29 29 3B|"; content:"child_creator.click|28 29 3B|",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18523; rev:5; service:http; )
00309 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"child_creator|20 3D 20|document|2E|createElement|28 22 3C|A target|3D 27|_blank|27|"; content:"document.body.insertBefore|28|child_creator|29 3B|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18522; rev:5; service:http; )
00309 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"child_creator|20 3D 20|document|2E|createElement|28 22 3C|A target|3D 27|_blank|27|"; content:"document.body.insertBefore|28|child_creator|29 3B|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18522; rev:5; service:http; )
00310 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"child_element|20 3D 20|child|2E|document|2E|createElement|28 22 22 29 3B|"; content:"child_element|2E|appendChild|28|parent_element|29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18521; rev:5; service:http; )
00310 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"child_element|20 3D 20|child|2E|document|2E|createElement|28 22 22 29 3B|"; content:"child_element|2E|appendChild|28|parent_element|29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18521; rev:5; service:http; )
00311 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt"; flow:to_client,established; content:"try { window.open().document.appendChild(document)|3B| } catch(e) {}"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18520; rev:6; service:http; service:imap; service:pop3; )
00311 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt"; flow:to_client,established; content:"try { window.open().document.appendChild(document)|3B| } catch(e) {}"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18520; rev:6; service:http; service:imap; service:pop3; )
00311 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt"; flow:to_client,established; content:"try { window.open().document.appendChild(document)|3B| } catch(e) {}"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18520; rev:6; service:http; service:imap; service:pop3; )
00311 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt"; flow:to_client,established; content:"try { window.open().document.appendChild(document)|3B| } catch(e) {}"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18520; rev:6; service:http; service:imap; service:pop3; )
00312 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"filler|20 2B 3D 20|unescape|28 22 25|u0000|25|u0000"; content:"obj|2E|insertBefore|28|document|2E|createElement|28|filler|29 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18519; rev:5; service:http; )
00312 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"filler|20 2B 3D 20|unescape|28 22 25|u0000|25|u0000"; content:"obj|2E|insertBefore|28|document|2E|createElement|28|filler|29 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18519; rev:5; service:http; )
00313 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML comment creation attempt"; flow:to_client,established; content:"|61 00 72 00 65 00 6E 00 74 00 5F 00 65 00 6C 00 65 00 6D 00 65 00 6E 00 74 00 2E 00 61 00 70 00 70 00 65 00 6E 00 64 00 43 00 68 00 69 00 6C 00 64 00 28 00 64 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 2E 00 63 00 72 00 65 00 61 00 74 00 65 00 43 00 6F 00 6D 00 6D 00 65 00 6E 00 74 00 28 00 73 00 4D 00 53 00 48 00 54 00 4D 00 4C 00 5F 00 68 00 65 00 61 00 70 00 5F 00 73 00 70 00 72 00 61 00 79 00 29 00 29 00 3B 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18518; rev:6; service:http; )
00313 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML comment creation attempt"; flow:to_client,established; content:"|61 00 72 00 65 00 6E 00 74 00 5F 00 65 00 6C 00 65 00 6D 00 65 00 6E 00 74 00 2E 00 61 00 70 00 70 00 65 00 6E 00 64 00 43 00 68 00 69 00 6C 00 64 00 28 00 64 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 2E 00 63 00 72 00 65 00 61 00 74 00 65 00 43 00 6F 00 6D 00 6D 00 65 00 6E 00 74 00 28 00 73 00 4D 00 53 00 48 00 54 00 4D 00 4C 00 5F 00 68 00 65 00 61 00 70 00 5F 00 73 00 70 00 72 00 61 00 79 00 29 00 29 00 3B 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18518; rev:6; service:http; )
00314 alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer History.go method double free corruption attempt"; flow:to_client,established; file_data; content:"str2|20 3D 20|str|3B|"; content:"history|2E|go|28|str2|29 3B|",distance 0,fast_pattern; content:"str2|20 2B 3D 20|str|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34423; reference:cve,2009-0552; classtype:attempted-user; sid:18482; rev:3; service:http; )
00314 alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer History.go method double free corruption attempt"; flow:to_client,established; file_data; content:"str2|20 3D 20|str|3B|"; content:"history|2E|go|28|str2|29 3B|",distance 0,fast_pattern; content:"str2|20 2B 3D 20|str|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34423; reference:cve,2009-0552; classtype:attempted-user; sid:18482; rev:3; service:http; )
00315 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:"|3C|input type|3D 22|checkbox|22 20|id|3D 27|c|27 3E|"; content:"r|3D|document|2E|getElementById|28 22|c|22 29 3B|",distance 0; content:"a|3D|r|2E|createTextRange|28 29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:18313; rev:4; service:http; )
00315 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:"|3C|input type|3D 22|checkbox|22 20|id|3D 27|c|27 3E|"; content:"r|3D|document|2E|getElementById|28 22|c|22 29 3B|",distance 0; content:"a|3D|r|2E|createTextRange|28 29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:18313; rev:4; service:http; )
00316 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt"; flow:to_client,established; file_data; content:"|26|lt|3B 2F|span|26|gt|3B 0A 26|lt|3B|pre|26|gt|3B|"; content:"|26|lt|3B|colgroup|26|gt|3B 0A 26|lt|3B|small|26|gt|3B 0A 26|lt|3B 2F|small|26|gt|3B 0A 26|lt|3B 2F|colgroup|26|gt|3B|",distance 0; content:"|26|lt|3B 2F|object|26|gt|3B 0A 26|lt|3B 2F|bdo|0A 26|lt|3B 2F|th|0A 26|lt|3B 2F|object",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-1188; classtype:attempted-user; sid:18306; rev:3; service:http; )
00316 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt"; flow:to_client,established; file_data; content:"|26|lt|3B 2F|span|26|gt|3B 0A 26|lt|3B|pre|26|gt|3B|"; content:"|26|lt|3B|colgroup|26|gt|3B 0A 26|lt|3B|small|26|gt|3B 0A 26|lt|3B 2F|small|26|gt|3B 0A 26|lt|3B 2F|colgroup|26|gt|3B|",distance 0; content:"|26|lt|3B 2F|object|26|gt|3B 0A 26|lt|3B 2F|bdo|0A 26|lt|3B 2F|th|0A 26|lt|3B 2F|object",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-1188; classtype:attempted-user; sid:18306; rev:3; service:http; )
00317 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer script action handler overflow attempt"; flow:to_client,established; file_data; content:"for|28|s|3D 27 3C|a|20|onclick|3D 27 2C|i|3D|0|3B|"; content:"document|2E|write|28|s|2B 27 3E 27 29|",distance 0; content:"s|2B 3D|s|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17131; reference:cve,2006-1245; classtype:attempted-user; sid:18303; rev:3; service:http; )
00317 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer script action handler overflow attempt"; flow:to_client,established; file_data; content:"for|28|s|3D 27 3C|a|20|onclick|3D 27 2C|i|3D|0|3B|"; content:"document|2E|write|28|s|2B 27 3E 27 29|",distance 0; content:"s|2B 3D|s|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17131; reference:cve,2006-1245; classtype:attempted-user; sid:18303; rev:3; service:http; )
00318 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer EMBED element memory corruption attempt"; flow:to_client,established; file_data; content:"<embed type=|27 22| + asMimeTypes.shift"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34424; reference:cve,2009-0553; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:17729; rev:6; service:http; )
00318 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer EMBED element memory corruption attempt"; flow:to_client,established; file_data; content:"<embed type=|27 22| + asMimeTypes.shift"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34424; reference:cve,2009-0553; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:17729; rev:6; service:http; )
00319 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt"; flow:to_client,established; file_data; content:"var nopsled",nocase; content:"cloneNode|28 29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:17644; rev:6; service:http; )
00319 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt"; flow:to_client,established; file_data; content:"var nopsled",nocase; content:"cloneNode|28 29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:17644; rev:6; service:http; )
00320 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer event handler memory corruption attempt"; flow:to_client,established; file_data; content:"activate = function ()"; pcre:"/on(before|de)activate\s*\x3d\s*function\s*\x28\x29\s*\x7b\s*call(back|malFunc)\x28\x29/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35224; reference:cve,2009-1530; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-019; classtype:attempted-user; sid:17566; rev:4; service:http; )
00320 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer event handler memory corruption attempt"; flow:to_client,established; file_data; content:"activate = function ()"; pcre:"/on(before|de)activate\s*\x3d\s*function\s*\x28\x29\s*\x7b\s*call(back|malFunc)\x28\x29/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35224; reference:cve,2009-1530; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-019; classtype:attempted-user; sid:17566; rev:4; service:http; )
00321 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer Error Handling Code Execution"; flow:to_client,established; file_data; content:"for",nocase; content:"i=0|3B| i<20|3B| i++",within 30; content:"document.location.href=fileURL",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,25916; reference:cve,2007-3892; classtype:attempted-admin; sid:17549; rev:6; service:http; )
00321 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer Error Handling Code Execution"; flow:to_client,established; file_data; content:"for",nocase; content:"i=0|3B| i<20|3B| i++",within 30; content:"document.location.href=fileURL",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,25916; reference:cve,2007-3892; classtype:attempted-admin; sid:17549; rev:6; service:http; )
00322 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt"; flow:to_client,established; file_data; content:"adong7",nocase; content:"adong7",distance 0,nocase; content:"datasrc",distance 0,nocase; content:"datafld",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-078; classtype:attempted-user; sid:17402; rev:5; service:http; )
00322 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt"; flow:to_client,established; file_data; content:"adong7",nocase; content:"adong7",distance 0,nocase; content:"datasrc",distance 0,nocase; content:"datafld",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-078; classtype:attempted-user; sid:17402; rev:5; service:http; )
00323 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:".createTextRange|28 29 09 0A 0D 09 20 0A 20 0A 20 0D|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:17263; rev:5; service:http; )
00323 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:".createTextRange|28 29 09 0A 0D 09 20 0A 20 0A 20 0D|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:17263; rev:5; service:http; )
00324 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer nested SPAN tag memory corruption attempt"; flow:to_client,established; file_data; content:"%3c%53%50%41%4e%20%44%41%54%41%53%52%43%3d%23%49%20%44%41%54%41%46%4c%44%3d%43%20%44%41%54%41%46%4f%52%4d%41%54%41%53%3d%48%54%4d%4c%3e"; content:"%3c%53%50%41%4e%20%44%41%54%41%53%52%43%3d%23%49%20%44%41%54%41%46%4c%44%3d%43%20%44%41%54%41%46%4f%52%4d%41%54%41%53%3d%54%45%58%54%3e",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:bugtraq,32721; reference:cve,2008-4844; classtype:attempted-user; sid:16605; rev:6; service:http; )
00324 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer nested SPAN tag memory corruption attempt"; flow:to_client,established; file_data; content:"%3c%53%50%41%4e%20%44%41%54%41%53%52%43%3d%23%49%20%44%41%54%41%46%4c%44%3d%43%20%44%41%54%41%46%4f%52%4d%41%54%41%53%3d%48%54%4d%4c%3e"; content:"%3c%53%50%41%4e%20%44%41%54%41%53%52%43%3d%23%49%20%44%41%54%41%46%4c%44%3d%43%20%44%41%54%41%46%4f%52%4d%41%54%41%53%3d%54%45%58%54%3e",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:bugtraq,32721; reference:cve,2008-4844; classtype:attempted-user; sid:16605; rev:6; service:http; )
00325 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt"; flow:to_client,established; file_data; content:"<object",offset 0,nocase; pcre:!"/^[^>]*?data\s*=/Rmis"; content:"margin",nocase; pcre:"/<[^>]*?style\s*[>=].{1,1024}margin\s*\x3a\s*[^\x3b\x7d]*?-(\d{4}|1[0-9][1-9]|[2-9]\d\d)[ce][mx].*?[\x7b\x3b]/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1526; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:23836; rev:5; service:http; service:imap; service:pop3; )
00325 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt"; flow:to_client,established; file_data; content:"<object",offset 0,nocase; pcre:!"/^[^>]*?data\s*=/Rmis"; content:"margin",nocase; pcre:"/<[^>]*?style\s*[>=].{1,1024}margin\s*\x3a\s*[^\x3b\x7d]*?-(\d{4}|1[0-9][1-9]|[2-9]\d\d)[ce][mx].*?[\x7b\x3b]/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1526; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:23836; rev:5; service:http; service:imap; service:pop3; )
00325 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt"; flow:to_client,established; file_data; content:"<object",offset 0,nocase; pcre:!"/^[^>]*?data\s*=/Rmis"; content:"margin",nocase; pcre:"/<[^>]*?style\s*[>=].{1,1024}margin\s*\x3a\s*[^\x3b\x7d]*?-(\d{4}|1[0-9][1-9]|[2-9]\d\d)[ce][mx].*?[\x7b\x3b]/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1526; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:23836; rev:5; service:http; service:imap; service:pop3; )
00325 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt"; flow:to_client,established; file_data; content:"<object",offset 0,nocase; pcre:!"/^[^>]*?data\s*=/Rmis"; content:"margin",nocase; pcre:"/<[^>]*?style\s*[>=].{1,1024}margin\s*\x3a\s*[^\x3b\x7d]*?-(\d{4}|1[0-9][1-9]|[2-9]\d\d)[ce][mx].*?[\x7b\x3b]/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1526; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:23836; rev:5; service:http; service:imap; service:pop3; )
00326 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 memory disclosure attempt"; flow:to_client,established; file_data; content:"X-UA-Compatible"; content:"content=",nocase; content:".postMessage("; pcre:"/<\s*?meta\s+.*?(http-equiv=(?P<q1>[\x22\x27])\s*?X-UA-Compatible\s*?(?P=q1).*?[^>]content=(?P<q2>[\x22\x27])\s*?IE=\s*?(EmulateIE9|Edge|9)\s*?(?P=q2)|content=(?P<q3>[\x22\x27])\s*?IE=\s*?(EmulateIE9|Edge|9)\s*?(?P=q3).*?[^>]http-equiv=(?P<q4>[\x22\x27])\s*?X-UA-Compatible\s*(?P=q4)).*?(\w\x2epostMessage\x28\s*.*?\x5c0.*?\x29|var\s+(?P<var>\w+)\s*?=\s*?(?P<q5>[\x22\x27]).*?[^\x3b]\x5c0.*?\x3b.*?\w\x2epostMessage\x28\s*?(?P=var))/imsO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:23128; rev:3; service:http; )
00326 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 memory disclosure attempt"; flow:to_client,established; file_data; content:"X-UA-Compatible"; content:"content=",nocase; content:".postMessage("; pcre:"/<\s*?meta\s+.*?(http-equiv=(?P<q1>[\x22\x27])\s*?X-UA-Compatible\s*?(?P=q1).*?[^>]content=(?P<q2>[\x22\x27])\s*?IE=\s*?(EmulateIE9|Edge|9)\s*?(?P=q2)|content=(?P<q3>[\x22\x27])\s*?IE=\s*?(EmulateIE9|Edge|9)\s*?(?P=q3).*?[^>]http-equiv=(?P<q4>[\x22\x27])\s*?X-UA-Compatible\s*(?P=q4)).*?(\w\x2epostMessage\x28\s*.*?\x5c0.*?\x29|var\s+(?P<var>\w+)\s*?=\s*?(?P<q5>[\x22\x27]).*?[^\x3b]\x5c0.*?\x3b.*?\w\x2epostMessage\x28\s*?(?P=var))/imsO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:23128; rev:3; service:http; )
00327 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_client,established; file_data; content:"table-layout|3A|",fast_pattern,nocase; content:"fixed",within 7,nocase; pcre:"/<\s*script.*?(?P<var>\w+)\s*=\s*document\.getElementById\s*\x28\s*[\x22\x27](?P<col_id>[^\x22\x27]+)[\x22\x27]\s*\x29.*?((?P=var)\.span.*?<\s*table.*?<col[^>]*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?>.*?<\s*\/\s*table\s*>|<\s*col.*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?span\s*=\s*[\x22\x27]?\d)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:23124; rev:4; service:http; )
00327 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_client,established; file_data; content:"table-layout|3A|",fast_pattern,nocase; content:"fixed",within 7,nocase; pcre:"/<\s*script.*?(?P<var>\w+)\s*=\s*document\.getElementById\s*\x28\s*[\x22\x27](?P<col_id>[^\x22\x27]+)[\x22\x27]\s*\x29.*?((?P=var)\.span.*?<\s*table.*?<col[^>]*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?>.*?<\s*\/\s*table\s*>|<\s*col.*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?span\s*=\s*[\x22\x27]?\d)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:23124; rev:4; service:http; )
00328 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 DOM element use after free attempt"; flow:to_client,established; file_data; content:"onpropertychange"; pcre:"/<script[^>]*?for\s*=\s*[\x22\x27]?.*?event\s*=\s*[\x22\x27]?onpropertychange[\x22\x27]?[^>]*?>/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1877; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:23117; rev:4; service:http; )
00328 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 DOM element use after free attempt"; flow:to_client,established; file_data; content:"onpropertychange"; pcre:"/<script[^>]*?for\s*=\s*[\x22\x27]?.*?event\s*=\s*[\x22\x27]?onpropertychange[\x22\x27]?[^>]*?>/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1877; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:23117; rev:4; service:http; )
00329 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNode use after free attempt"; flow:to_client,established; file_data; content:"srcElement.parentNode.removeChild"; pcre:"/\w+\.getElementById\(.*?\)\.attachEvent\(\s*(?P<q1>[\x22\x27]?)(?P<eventid>.*?)(?P=q1)\s*,\s*(?P<repro>\w+)\s*\)\;.*?var\s+(?P<target>\w+)\s*=\s*\w+\.getElementById\(.*?\)\;.*?(?P=target)\.fireEvent\(\s*(?P<q2>[\x22\x27]?)(?P=eventid)(?P=q2)\s*\)\;.*?(?P=target)\.fireEvent\(\s*(?P<q3>[\x22\x27]?)(?P=eventid)(?P=q3)\s*\)\;.*?function\s+(?P=repro)\s*\(\s*(?P<arg>\w+)\s*\)\s*{.*?(?P=arg)\.srcElement\.parentNode\.removeChild\(\s*(?P=arg)\.srcElement\s*\)\;.*?}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1878; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:23116; rev:2; service:http; )
00329 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNode use after free attempt"; flow:to_client,established; file_data; content:"srcElement.parentNode.removeChild"; pcre:"/\w+\.getElementById\(.*?\)\.attachEvent\(\s*(?P<q1>[\x22\x27]?)(?P<eventid>.*?)(?P=q1)\s*,\s*(?P<repro>\w+)\s*\)\;.*?var\s+(?P<target>\w+)\s*=\s*\w+\.getElementById\(.*?\)\;.*?(?P=target)\.fireEvent\(\s*(?P<q2>[\x22\x27]?)(?P=eventid)(?P=q2)\s*\)\;.*?(?P=target)\.fireEvent\(\s*(?P<q3>[\x22\x27]?)(?P=eventid)(?P=q3)\s*\)\;.*?function\s+(?P=repro)\s*\(\s*(?P<arg>\w+)\s*\)\s*{.*?(?P=arg)\.srcElement\.parentNode\.removeChild\(\s*(?P=arg)\.srcElement\s*\)\;.*?}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1878; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:23116; rev:2; service:http; )
00330 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer SelectAll dangling pointer use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand|28|'selectAll'|29|",nocase; content:"document.execCommand|28|'selectAll'|29|",distance 0,nocase; content:"<body onload",distance 0,nocase; content:"onbeforedeactivate=",distance 0,nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0171; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; classtype:attempted-user; sid:22038; rev:2; service:http; service:imap; service:pop3; )
00330 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer SelectAll dangling pointer use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand|28|'selectAll'|29|",nocase; content:"document.execCommand|28|'selectAll'|29|",distance 0,nocase; content:"<body onload",distance 0,nocase; content:"onbeforedeactivate=",distance 0,nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0171; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; classtype:attempted-user; sid:22038; rev:2; service:http; service:imap; service:pop3; )
00330 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer SelectAll dangling pointer use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand|28|'selectAll'|29|",nocase; content:"document.execCommand|28|'selectAll'|29|",distance 0,nocase; content:"<body onload",distance 0,nocase; content:"onbeforedeactivate=",distance 0,nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0171; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; classtype:attempted-user; sid:22038; rev:2; service:http; service:imap; service:pop3; )
00330 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer SelectAll dangling pointer use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand|28|'selectAll'|29|",nocase; content:"document.execCommand|28|'selectAll'|29|",distance 0,nocase; content:"<body onload",distance 0,nocase; content:"onbeforedeactivate=",distance 0,nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0171; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; classtype:attempted-user; sid:22038; rev:2; service:http; service:imap; service:pop3; )
00331 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt"; flow:to_client,established; file_data; content:"|3C 3F|IMPORT namespace=|22|",nocase; content:"implementation=|22|#default#VML|22 3E|",within 50,nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52906; reference:cve,2012-0172; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-023; classtype:attempted-user; sid:21793; rev:7; service:http; service:imap; service:pop3; )
00331 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt"; flow:to_client,established; file_data; content:"|3C 3F|IMPORT namespace=|22|",nocase; content:"implementation=|22|#default#VML|22 3E|",within 50,nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52906; reference:cve,2012-0172; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-023; classtype:attempted-user; sid:21793; rev:7; service:http; service:imap; service:pop3; )
00331 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt"; flow:to_client,established; file_data; content:"|3C 3F|IMPORT namespace=|22|",nocase; content:"implementation=|22|#default#VML|22 3E|",within 50,nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52906; reference:cve,2012-0172; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-023; classtype:attempted-user; sid:21793; rev:7; service:http; service:imap; service:pop3; )
00331 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt"; flow:to_client,established; file_data; content:"|3C 3F|IMPORT namespace=|22|",nocase; content:"implementation=|22|#default#VML|22 3E|",within 50,nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52906; reference:cve,2012-0172; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-023; classtype:attempted-user; sid:21793; rev:7; service:http; service:imap; service:pop3; )
00332 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer location and location.href cross domain security bypass vulnerability"; flow:to_client,established; file_data; content:"window.open",nocase; content:".location",nocase; pcre:"/\.location(\.href)?\s*=\s*new\s+String\s*\x28\s*\x22\s*javascript\x3A/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-2947; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-058; classtype:attempted-user; sid:14643; rev:9; service:http; )
00332 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer location and location.href cross domain security bypass vulnerability"; flow:to_client,established; file_data; content:"window.open",nocase; content:".location",nocase; pcre:"/\.location(\.href)?\s*=\s*new\s+String\s*\x28\s*\x22\s*javascript\x3A/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-2947; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-058; classtype:attempted-user; sid:14643; rev:9; service:http; )
00333 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer ExecWB security zone bypass attempt"; flow:to_client,established; file_data; content:"ExecWB",nocase; pcre:"/ExecWB\s*\x28\s*[^\x2c\x29]*(7|IDM_PRINTPREVIEW)[^\x29]+http\x3a\x2f\x2f/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30612; reference:cve,2008-2259; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-045; classtype:attempted-user; sid:17692; rev:6; service:http; )
00333 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer ExecWB security zone bypass attempt"; flow:to_client,established; file_data; content:"ExecWB",nocase; pcre:"/ExecWB\s*\x28\s*[^\x2c\x29]*(7|IDM_PRINTPREVIEW)[^\x29]+http\x3a\x2f\x2f/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30612; reference:cve,2008-2259; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-045; classtype:attempted-user; sid:17692; rev:6; service:http; )
00334 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer cross-domain navigation cookie stealing attempt"; flow:to_client,established; file_data; content:"setInterval|28|'xDomainAccess|28 29|',1|29 3B|",nocase; content:"setInterval|28 22|try { myWindow.location.href = victimLnk|3B|}",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-3091; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-019; classtype:misc-attack; sid:15529; rev:7; service:http; )
00334 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer cross-domain navigation cookie stealing attempt"; flow:to_client,established; file_data; content:"setInterval|28|'xDomainAccess|28 29|',1|29 3B|",nocase; content:"setInterval|28 22|try { myWindow.location.href = victimLnk|3B|}",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-3091; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-019; classtype:misc-attack; sid:15529; rev:7; service:http; )
00335 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer XSS mouseevent PII disclosure attempt"; flow:to_client,established; file_data; content:"setcapture|28 29|"; content:"onclick=",nocase; content:"event",nocase; content:"srcelement.",distance 0,nocase; pcre:"/(?P<divname>\w+)\x2esetcapture\x28\x29.*?<div[^\x3e]*?(?P=divname)[^\x3e]*?onclick\x3d/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3473; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:web-application-activity; sid:14656; rev:11; service:http; )
00335 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer XSS mouseevent PII disclosure attempt"; flow:to_client,established; file_data; content:"setcapture|28 29|"; content:"onclick=",nocase; content:"event",nocase; content:"srcelement.",distance 0,nocase; pcre:"/(?P<divname>\w+)\x2esetcapture\x28\x29.*?<div[^\x3e]*?(?P=divname)[^\x3e]*?onclick\x3d/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3473; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:web-application-activity; sid:14656; rev:11; service:http; )
00336 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer cross domain componentFromPoint memory corruption attempt"; flow:to_client,established; file_data; content:"|2E|componentFromPoint|28|",nocase; pcre:"/(\S+)\s+\x3d[^\x3b]*\x2e(createElement|getElementById)\x28.*\1\x2ecomponentFromPoint\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3475; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-058; classtype:attempted-user; sid:14657; rev:9; service:http; )
00336 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer cross domain componentFromPoint memory corruption attempt"; flow:to_client,established; file_data; content:"|2E|componentFromPoint|28|",nocase; pcre:"/(\S+)\s+\x3d[^\x3b]*\x2e(createElement|getElementById)\x28.*\1\x2ecomponentFromPoint\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3475; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-058; classtype:attempted-user; sid:14657; rev:9; service:http; )
00337 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DXLUTBuilder ActiveX function call access"; flow:to_client,established; file_data; content:"DXTransform.Microsoft.DXLUTBuilder"; pcre:"/(?P<c>\w+)\s*=\s*(\x22DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x22|\x27DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x22|\x27DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-010; classtype:attempted-user; sid:13455; rev:10; service:http; )
00337 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DXLUTBuilder ActiveX function call access"; flow:to_client,established; file_data; content:"DXTransform.Microsoft.DXLUTBuilder"; pcre:"/(?P<c>\w+)\s*=\s*(\x22DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x22|\x27DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x22|\x27DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-010; classtype:attempted-user; sid:13455; rev:10; service:http; )
00338 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DXLUTBuilder ActiveX clsid access"; flow:to_client,established; file_data; content:"1e54333b-2a00-11d1-8198-0000f87557db",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1e54333b-2a00-11d1-8198-0000f87557db\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-010; classtype:attempted-user; sid:13453; rev:10; service:http; )
00338 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DXLUTBuilder ActiveX clsid access"; flow:to_client,established; file_data; content:"1e54333b-2a00-11d1-8198-0000f87557db",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1e54333b-2a00-11d1-8198-0000f87557db\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-010; classtype:attempted-user; sid:13453; rev:10; service:http; )
00339 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer table layout access violation vulnerability"; flow:to_client,established; file_data; content:"|2E|getClientRects|28 29|",nocase; content:"|2E|clearAttributes|28 29|",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-2258; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-045; classtype:misc-attack; sid:13961; rev:8; service:http; )
00339 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer table layout access violation vulnerability"; flow:to_client,established; file_data; content:"|2E|getClientRects|28 29|",nocase; content:"|2E|clearAttributes|28 29|",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-2258; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-045; classtype:misc-attack; sid:13961; rev:8; service:http; )
00340 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer argument validation in print preview handling exploitation attempt"; flow:to_client,established; file_data; content:"|2E|ExecWB"; pcre:"/\x2eExecWB\s*\x28(IDM_PRINTPREVIEW|7)\x2c\s+(0|2)\x2C\s+\x22http/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30612; reference:cve,2008-2259; reference:url,osvdb.org/show/osvdb/47414; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-045; classtype:attempted-user; sid:13963; rev:10; service:http; )
00340 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer argument validation in print preview handling exploitation attempt"; flow:to_client,established; file_data; content:"|2E|ExecWB"; pcre:"/\x2eExecWB\s*\x28(IDM_PRINTPREVIEW|7)\x2c\s+(0|2)\x2C\s+\x22http/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30612; reference:cve,2008-2259; reference:url,osvdb.org/show/osvdb/47414; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-045; classtype:attempted-user; sid:13963; rev:10; service:http; )
00341 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer marquee object handling memory corruption attempt"; flow:to_client,established; file_data; content:"MARQUEE",nocase; content:"onstart",distance 0,nocase; pcre:"/\x3c\s*Marquee[^\x3e]*onstart\s*\x3D\s*\x22\s*document\x2e(write|writeln|open)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0554; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-014; classtype:attempted-user; sid:17462; rev:8; service:http; )
00341 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer marquee object handling memory corruption attempt"; flow:to_client,established; file_data; content:"MARQUEE",nocase; content:"onstart",distance 0,nocase; pcre:"/\x3c\s*Marquee[^\x3e]*onstart\s*\x3D\s*\x22\s*document\x2e(write|writeln|open)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0554; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-014; classtype:attempted-user; sid:17462; rev:8; service:http; )
00342 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer EMBED element memory corruption attempt"; flow:to_client,established; file_data; content:"function|20|open|5F|win|28 29|"; content:"document|2E|body|2E|innerHTML|20 3D|",distance 0; content:"|22 3C|embed|20|type|3D 27|audio|2F|midi|27 3E|",distance 0; content:"setInterval|28 27|open|5F|win|28 29 27 2C 20|1|29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34424; reference:cve,2009-0553; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:17709; rev:7; service:http; )
00342 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer EMBED element memory corruption attempt"; flow:to_client,established; file_data; content:"function|20|open|5F|win|28 29|"; content:"document|2E|body|2E|innerHTML|20 3D|",distance 0; content:"|22 3C|embed|20|type|3D 27|audio|2F|midi|27 3E|",distance 0; content:"setInterval|28 27|open|5F|win|28 29 27 2C 20|1|29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34424; reference:cve,2009-0553; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:17709; rev:7; service:http; )
00343 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated"; flow:to_client,established; dsize:<800; file_data; content:"<html>",nocase; content:"createElement",distance 0,nocase; content:"cloneNode",nocase; content:"clearAttributes",nocase; content:"CollectGarbage",nocase; content:"</html>",distance 0,nocase; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2009-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:16339; rev:7; service:http; )
00343 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated"; flow:to_client,established; dsize:<800; file_data; content:"<html>",nocase; content:"createElement",distance 0,nocase; content:"cloneNode",nocase; content:"clearAttributes",nocase; content:"CollectGarbage",nocase; content:"</html>",distance 0,nocase; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2009-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:16339; rev:7; service:http; )
00344 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt"; flow:to_client,established; file_data; content:"cloneNode",nocase; content:"clearAttributes",distance 0,nocase; pcre:"/(?P<cl>\w+)\s*=\s*(?P<o>\w+)\.cloneNode.*?(?P=o)\.clearAttributes.*?(?P=o)\s*=\s*null\s*\x3B.*?(?P=cl)\.click\s*\x3B/Osmi"; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2009-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:15304; rev:7; service:http; )
00344 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt"; flow:to_client,established; file_data; content:"cloneNode",nocase; content:"clearAttributes",distance 0,nocase; pcre:"/(?P<cl>\w+)\s*=\s*(?P<o>\w+)\.cloneNode.*?(?P=o)\.clearAttributes.*?(?P=o)\s*=\s*null\s*\x3B.*?(?P=cl)\.click\s*\x3B/Osmi"; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2009-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:15304; rev:7; service:http; )
00345 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid object access memory corruption attempt"; flow:to_client,established; file_data; content:"createEventObject"; content:"innerHTML",distance 0; pcre:"/createEventObject[^\x7D]+innerHTML\s*\x3D\s*\S+[^\x7D]+(setTimeout|setInterval)/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:16367; rev:10; service:http; )
00345 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid object access memory corruption attempt"; flow:to_client,established; file_data; content:"createEventObject"; content:"innerHTML",distance 0; pcre:"/createEventObject[^\x7D]+innerHTML\s*\x3D\s*\S+[^\x7D]+(setTimeout|setInterval)/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:16367; rev:10; service:http; )
00346 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 7/8 execute local file in Internet zone redirect attempt"; flow:to_client,established; http_header; content:"|0A|Location|3A|",nocase; content:"file|3A|//127.0.0.1",distance 0,fast_pattern; pcre:"/^Location\x3a[^\n]*file\x3a\x2f\x2f127\x2e0\x2e0\x2e1/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0255; reference:cve,2010-0555; reference:url,technet.microsoft.com/en-us/security/advisory/980088; classtype:attempted-user; sid:16423; rev:8; service:http; )
00346 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 7/8 execute local file in Internet zone redirect attempt"; flow:to_client,established; http_header; content:"|0A|Location|3A|",nocase; content:"file|3A|//127.0.0.1",distance 0,fast_pattern; pcre:"/^Location\x3a[^\n]*file\x3a\x2f\x2f127\x2e0\x2e0\x2e1/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0255; reference:cve,2010-0555; reference:url,technet.microsoft.com/en-us/security/advisory/980088; classtype:attempted-user; sid:16423; rev:8; service:http; )
00347 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|7B|behavior",nocase; content:"url|28 23|default|23|userData|29|",distance 0,nocase; content:"setAttribute"; pcre:"/(?P<class>[A-Z\d_]+)\s*\x7Bbehavior\s*\x3a\s*url\x28\x23default\x23userData\x29.*?(?P<obj>[A-Z\d_]+)\x2EsetAttribute\x28[^,]+,\s*[A-Z]\x29.*?\x3cMARQUEE\s*id\x3d\x22(?P=obj)\x22\s*class\x3d\x22(?P=class)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0806; reference:url,support.microsoft.com/kb/980182; classtype:attempted-user; sid:17689; rev:7; service:http; )
00347 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|7B|behavior",nocase; content:"url|28 23|default|23|userData|29|",distance 0,nocase; content:"setAttribute"; pcre:"/(?P<class>[A-Z\d_]+)\s*\x7Bbehavior\s*\x3a\s*url\x28\x23default\x23userData\x29.*?(?P<obj>[A-Z\d_]+)\x2EsetAttribute\x28[^,]+,\s*[A-Z]\x29.*?\x3cMARQUEE\s*id\x3d\x22(?P=obj)\x22\s*class\x3d\x22(?P=class)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0806; reference:url,support.microsoft.com/kb/980182; classtype:attempted-user; sid:17689; rev:7; service:http; )
00348 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|script|3E|",nocase; content:"|2E|style|2E|behavior",nocase; content:"|23|default|23|userData",distance 0,nocase; content:"setAttribute|28|"; pcre:"/(?P<obj>[A-Z\d_]+)\x2Estyle\x2Ebehavior\s*\x3D\s*\x22url\x28\x27\x23default\x23userData\x27\x29\x22.*?(?P=obj)\x2EsetAttribute\x28[^,]+,\s*[A-Z]/smi"; content:"|3C 2F|script|3E|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:17688; rev:7; service:http; service:imap; service:pop3; )
00348 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|script|3E|",nocase; content:"|2E|style|2E|behavior",nocase; content:"|23|default|23|userData",distance 0,nocase; content:"setAttribute|28|"; pcre:"/(?P<obj>[A-Z\d_]+)\x2Estyle\x2Ebehavior\s*\x3D\s*\x22url\x28\x27\x23default\x23userData\x27\x29\x22.*?(?P=obj)\x2EsetAttribute\x28[^,]+,\s*[A-Z]/smi"; content:"|3C 2F|script|3E|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:17688; rev:7; service:http; service:imap; service:pop3; )
00348 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|script|3E|",nocase; content:"|2E|style|2E|behavior",nocase; content:"|23|default|23|userData",distance 0,nocase; content:"setAttribute|28|"; pcre:"/(?P<obj>[A-Z\d_]+)\x2Estyle\x2Ebehavior\s*\x3D\s*\x22url\x28\x27\x23default\x23userData\x27\x29\x22.*?(?P=obj)\x2EsetAttribute\x28[^,]+,\s*[A-Z]/smi"; content:"|3C 2F|script|3E|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:17688; rev:7; service:http; service:imap; service:pop3; )
00348 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|script|3E|",nocase; content:"|2E|style|2E|behavior",nocase; content:"|23|default|23|userData",distance 0,nocase; content:"setAttribute|28|"; pcre:"/(?P<obj>[A-Z\d_]+)\x2Estyle\x2Ebehavior\s*\x3D\s*\x22url\x28\x27\x23default\x23userData\x27\x29\x22.*?(?P=obj)\x2EsetAttribute\x28[^,]+,\s*[A-Z]/smi"; content:"|3C 2F|script|3E|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:17688; rev:7; service:http; service:imap; service:pop3; )
00349 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",distance 0,nocase; pcre:"/(?P<obj>[A-Z\d_]+)\.addBehavior\x28(?P<q1>\x22|\x27|)[^\x29]*\x23default\x23userData(?P=q1)\x29.*?(?P=obj)\.setAttribute\x28[^,]+,\s*[A-Z]/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16482; rev:9; service:http; service:imap; service:pop3; )
00349 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",distance 0,nocase; pcre:"/(?P<obj>[A-Z\d_]+)\.addBehavior\x28(?P<q1>\x22|\x27|)[^\x29]*\x23default\x23userData(?P=q1)\x29.*?(?P=obj)\.setAttribute\x28[^,]+,\s*[A-Z]/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16482; rev:9; service:http; service:imap; service:pop3; )
00349 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",distance 0,nocase; pcre:"/(?P<obj>[A-Z\d_]+)\.addBehavior\x28(?P<q1>\x22|\x27|)[^\x29]*\x23default\x23userData(?P=q1)\x29.*?(?P=obj)\.setAttribute\x28[^,]+,\s*[A-Z]/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16482; rev:9; service:http; service:imap; service:pop3; )
00349 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",distance 0,nocase; pcre:"/(?P<obj>[A-Z\d_]+)\.addBehavior\x28(?P<q1>\x22|\x27|)[^\x29]*\x23default\x23userData(?P=q1)\x29.*?(?P=obj)\.setAttribute\x28[^,]+,\s*[A-Z]/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16482; rev:9; service:http; service:imap; service:pop3; )
00350 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer boundElements arbitrary code execution"; flow:to_client,established; file_data; content:"event.boundElements"; content:"window.close"; pcre:"/on(load|click)\s*=\s*\x22?window\.close\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42288; reference:cve,2010-2557; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-053; classtype:attempted-user; sid:17130; rev:7; service:http; )
00350 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer boundElements arbitrary code execution"; flow:to_client,established; file_data; content:"event.boundElements"; content:"window.close"; pcre:"/on(load|click)\s*=\s*\x22?window\.close\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42288; reference:cve,2010-2557; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-053; classtype:attempted-user; sid:17130; rev:7; service:http; )
00351 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 6 #default#anim attempt"; flow:to_client,established; file_data; content:"behavior:url('#default#anim')",nocase; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2010-3343; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-090; classtype:attempted-user; sid:18216; rev:8; service:http; )
00351 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 6 #default#anim attempt"; flow:to_client,established; file_data; content:"behavior:url('#default#anim')",nocase; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2010-3343; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-090; classtype:attempted-user; sid:18216; rev:8; service:http; )
00352 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer oversize recordset object cache size exploit attempt"; flow:to_client,established; file_data; content:"recordset"; content:".CacheSize",within 100; pcre:"/^\s*=\s/R"; byte_test:10,>,0x3ffffffe,0,relative,string; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-1117; reference:cve,2010-1118; reference:cve,2010-1259; reference:cve,2010-1262; reference:cve,2011-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-002; classtype:attempted-user; sid:18280; rev:10; service:http; )
00352 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer oversize recordset object cache size exploit attempt"; flow:to_client,established; file_data; content:"recordset"; content:".CacheSize",within 100; pcre:"/^\s*=\s/R"; byte_test:10,>,0x3ffffffe,0,relative,string; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-1117; reference:cve,2010-1118; reference:cve,2010-1259; reference:cve,2010-1262; reference:cve,2011-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-002; classtype:attempted-user; sid:18280; rev:10; service:http; )
00353 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer document.insertBefore memory corruption attempt"; flow:to_client,established; file_data; content:"document.insertBefore(document"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-0036; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-003; classtype:attempted-admin; sid:18404; rev:6; service:http; )
00353 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer document.insertBefore memory corruption attempt"; flow:to_client,established; file_data; content:"document.insertBefore(document"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-0036; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-003; classtype:attempted-admin; sid:18404; rev:6; service:http; )
00354 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_client,established; file_data; content:"#default#time2"; content:"schemas-microsoft-com:time",nocase; content:"contenteditable",nocase; content:"|3A|transitionFilter",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:19237; rev:8; service:http; service:imap; service:pop3; )
00354 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_client,established; file_data; content:"#default#time2"; content:"schemas-microsoft-com:time",nocase; content:"contenteditable",nocase; content:"|3A|transitionFilter",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:19237; rev:8; service:http; service:imap; service:pop3; )
00354 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_client,established; file_data; content:"#default#time2"; content:"schemas-microsoft-com:time",nocase; content:"contenteditable",nocase; content:"|3A|transitionFilter",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:19237; rev:8; service:http; service:imap; service:pop3; )
00354 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_client,established; file_data; content:"#default#time2"; content:"schemas-microsoft-com:time",nocase; content:"contenteditable",nocase; content:"|3A|transitionFilter",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:19237; rev:8; service:http; service:imap; service:pop3; )
00355 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML user after free attempt"; flow:to_client,established; file_data; content:"urn:schemas-microsoft-com:vml"; pcre:"/<v\s*\x3a\s*(image|imagedata|fill|stroke)\s+id\s*=\s*\x22([^\x22]*)\x22[^\x3E]*style\s*=\s*\x22[^\x22]*\x23default\x23VML[^\x22]*\x22.*document\x2EgetElementById\s*\x28\s*\x22\2\x22\s*\x29\x2Esrc\s+\x3D/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48173; reference:cve,2011-1266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-052; classtype:attempted-user; sid:19910; rev:5; service:http; )
00355 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML user after free attempt"; flow:to_client,established; file_data; content:"urn:schemas-microsoft-com:vml"; pcre:"/<v\s*\x3a\s*(image|imagedata|fill|stroke)\s+id\s*=\s*\x22([^\x22]*)\x22[^\x3E]*style\s*=\s*\x22[^\x22]*\x23default\x23VML[^\x22]*\x22.*document\x2EgetElementById\s*\x28\s*\x22\2\x22\s*\x29\x2Esrc\s+\x3D/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48173; reference:cve,2011-1266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-052; classtype:attempted-user; sid:19910; rev:5; service:http; )
00356 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer MDAC remote code execution attempt"; flow:to_client,established; file_data; content:"eval|28 22|r|3D|o|22|",nocase; content:"ect|28|n|2C 27 27 29|",distance 0,nocase; pcre:"/bj\x22[\x0D\x0A\s\t]*\x2b[\x0D\x0A\s\t]*\x22ect\x28n\x2C\x27\x27\x29/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-014; classtype:attempted-user; sid:19872; rev:2; service:http; )
00356 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer MDAC remote code execution attempt"; flow:to_client,established; file_data; content:"eval|28 22|r|3D|o|22|",nocase; content:"ect|28|n|2C 27 27 29|",distance 0,nocase; pcre:"/bj\x22[\x0D\x0A\s\t]*\x2b[\x0D\x0A\s\t]*\x22ect\x28n\x2C\x27\x27\x29/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-014; classtype:attempted-user; sid:19872; rev:2; service:http; )
00357 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt"; flow:to_client,established; content:"302 Redirect",nocase; http_header; content:"Location|3A 20|cdl|3A 2F 2F|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1262; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-admin; sid:19245; rev:4; service:http; )
00357 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt"; flow:to_client,established; content:"302 Redirect",nocase; http_header; content:"Location|3A 20|cdl|3A 2F 2F|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1262; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-admin; sid:19245; rev:4; service:http; )
00358 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 toStaticHTML XSS attempt"; flow:to_client,established; file_data; content:"toStaticHTML(",fast_pattern,nocase; content:"expression(",within 100,nocase; pcre:"/toStaticHTML\x28.*?[\x26\x22].=expression\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1252; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:19239; rev:5; service:http; )
00358 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 toStaticHTML XSS attempt"; flow:to_client,established; file_data; content:"toStaticHTML(",fast_pattern,nocase; content:"expression(",within 100,nocase; pcre:"/toStaticHTML\x28.*?[\x26\x22].=expression\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1252; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:19239; rev:5; service:http; )
00359 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer innerHTML against incomplete element heap corruption attempt"; flow:to_client,established; file_data; content:"|3C|em id|3D 22|obj|22 3E|"; content:"obj|2E|outerHTML|2B 2B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0490; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:19147; rev:5; service:http; )
00359 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer innerHTML against incomplete element heap corruption attempt"; flow:to_client,established; file_data; content:"|3C|em id|3D 22|obj|22 3E|"; content:"obj|2E|outerHTML|2B 2B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0490; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:19147; rev:5; service:http; )
00360 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt"; flow:to_client,established; file_data; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|"; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|",distance 0; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|",distance 0; pcre:"/\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00([^\x22]+)\x22\x00(\x29\x00)?\x3B\x00[^\x40]*\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00\2\x22\x00(\x29\x00)?\x3B\x00[^\x40]*\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00\2\x22/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,45246; reference:cve,2010-3971; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-003; classtype:attempted-user; sid:18240; rev:9; service:http; )
00360 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt"; flow:to_client,established; file_data; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|"; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|",distance 0; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|",distance 0; pcre:"/\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00([^\x22]+)\x22\x00(\x29\x00)?\x3B\x00[^\x40]*\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00\2\x22\x00(\x29\x00)?\x3B\x00[^\x40]*\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00\2\x22/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,45246; reference:cve,2010-3971; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-003; classtype:attempted-user; sid:18240; rev:9; service:http; )
00361 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:".createTextRange|28 29 3B|"; content:"<input type|3D 22|radio|22|",nocase; pcre:"/\x3Cinput\s+type\x3D\x22radio\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:17262; rev:4; service:http; )
00361 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:".createTextRange|28 29 3B|"; content:"<input type|3D 22|radio|22|",nocase; pcre:"/\x3Cinput\s+type\x3D\x22radio\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:17262; rev:4; service:http; )
00362 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client; file_data; content:".createTextRange|28 29 3B|"; content:"<input type|3D 22|checkbox|22|",nocase; pcre:"/\x3Cinput\s+type\x3D\x22checkbox\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:17261; rev:4; service:http; )
00362 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client; file_data; content:".createTextRange|28 29 3B|"; content:"<input type|3D 22|checkbox|22|",nocase; pcre:"/\x3Cinput\s+type\x3D\x22checkbox\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:17261; rev:4; service:http; )
00363 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client; file_data; content:".createTextRange|28 29 3B|"; content:"<input type|3D 22|image|22|",nocase; pcre:"/\x3Cinput\s+type\x3D\x22image\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:16035; rev:6; service:http; )
00363 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client; file_data; content:".createTextRange|28 29 3B|"; content:"<input type|3D 22|image|22|",nocase; pcre:"/\x3Cinput\s+type\x3D\x22image\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:16035; rev:6; service:http; )
00364 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 6/7 single line outerHTML invalid reference arbitrary code execution attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName|28|'STYLE'|29|[0].outerHTML"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:bugtraq,37085; reference:cve,2009-3672; reference:cve,2009-4054; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:16311; rev:6; service:http; )
00364 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 6/7 single line outerHTML invalid reference arbitrary code execution attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName|28|'STYLE'|29|[0].outerHTML"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:bugtraq,37085; reference:cve,2009-3672; reference:cve,2009-4054; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:16311; rev:6; service:http; )
00365 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer isindex buffer overflow attempt"; flow:to_client,established; file_data; content:"<style>",nocase; content:"<isindex>",distance 0,fast_pattern,nocase; content:"<style>",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,27668; reference:cve,2008-0076; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-010; classtype:attempted-user; sid:16063; rev:7; service:http; )
00365 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer isindex buffer overflow attempt"; flow:to_client,established; file_data; content:"<style>",nocase; content:"<isindex>",distance 0,fast_pattern,nocase; content:"<style>",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,27668; reference:cve,2008-0076; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-010; classtype:attempted-user; sid:16063; rev:7; service:http; )
00366 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt"; flow:to_client,established; file_data; content:"datasrc",nocase; content:"datafld",nocase; pcre:"/<(?P<t1>button|div|input[^>]+?type\s*=\s*(\x22|\x27)button(\x22|\x27)|label|legend|marquee|param|span)\s+[^>]*(datasrc\s*=\s*(?P<q1>\x22|\x27|)(?P<d1>\S+)(?P=q1)\s+[^>]*datafld\s*=\s*(?P<q2>\x22|\x27|)(?P<d2>\S+)(?P=q2)|datafld\s*=\s*(?P<q3>\x22|\x27|)(?P<d3>\S+)(?P=q3)\s+[^>]*datasrc\s*=\s*(?P<q4>\x22|\x27|)(?P<d4>\S+)(?P=q4))[^>]*>(?!.*?<\/\s*(?P=t1)\s*>.*?<(?P=t1)).*?<(?P=t1)\s+[^>]*(datasrc\s*=\s*(?P<q5>\x22|\x27|)((?P=d1)|(?P=d3))(?P=q5)\s+datafld\s*=\s*(?P<q6>\x22|\x27|)((?P=d2)|(?P=d4))(?P=q6)|(datafld\s*=\s*(?P<q7>\x22|\x27|)(?P=d1)(?P=q7)\s+datasrc\s*=\s*(?P<q8>\x22|\x27|)(?P=d2)(?P=q8)))/Osi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-078; classtype:attempted-user; sid:15126; rev:11; service:http; )
00366 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt"; flow:to_client,established; file_data; content:"datasrc",nocase; content:"datafld",nocase; pcre:"/<(?P<t1>button|div|input[^>]+?type\s*=\s*(\x22|\x27)button(\x22|\x27)|label|legend|marquee|param|span)\s+[^>]*(datasrc\s*=\s*(?P<q1>\x22|\x27|)(?P<d1>\S+)(?P=q1)\s+[^>]*datafld\s*=\s*(?P<q2>\x22|\x27|)(?P<d2>\S+)(?P=q2)|datafld\s*=\s*(?P<q3>\x22|\x27|)(?P<d3>\S+)(?P=q3)\s+[^>]*datasrc\s*=\s*(?P<q4>\x22|\x27|)(?P<d4>\S+)(?P=q4))[^>]*>(?!.*?<\/\s*(?P=t1)\s*>.*?<(?P=t1)).*?<(?P=t1)\s+[^>]*(datasrc\s*=\s*(?P<q5>\x22|\x27|)((?P=d1)|(?P=d3))(?P=q5)\s+datafld\s*=\s*(?P<q6>\x22|\x27|)((?P=d2)|(?P=d4))(?P=q6)|(datafld\s*=\s*(?P<q7>\x22|\x27|)(?P=d1)(?P=q7)\s+datasrc\s*=\s*(?P<q8>\x22|\x27|)(?P=d2)(?P=q8)))/Osi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-078; classtype:attempted-user; sid:15126; rev:11; service:http; )
00367 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CSS strings parsing memory corruption attempt"; flow:to_client,established; file_data; content:"text-decoration",nocase; pcre:"/\x2E[A-Z\d_]+\s*\x7b\s*text-decoration[^\x3A]*?\x7d/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0943; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:17645; rev:4; service:http; )
00367 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CSS strings parsing memory corruption attempt"; flow:to_client,established; file_data; content:"text-decoration",nocase; pcre:"/\x2E[A-Z\d_]+\s*\x7b\s*text-decoration[^\x3A]*?\x7d/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0943; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:17645; rev:4; service:http; )
00368 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_server,established; file_data; content:"#default#time2"; content:"schemas-microsoft-com:time",nocase; content:"contenteditable",nocase; content:"|3A|transitionFilter",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:20766; rev:5; service:smtp; )
00368 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_server,established; file_data; content:"#default#time2"; content:"schemas-microsoft-com:time",nocase; content:"contenteditable",nocase; content:"|3A|transitionFilter",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:20766; rev:5; service:smtp; )
00369 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 DOM memory corruption attempt"; flow:to_client,established; file_data; content:"|22|X-UA-Compatible|22|",nocase; content:"content|3D 22|IE|3D|8|22|",distance 0,nocase; pcre:"/<\s*script.*?(?P<element2>\w+?)\x2Eparentnode\x2Eremovechild\x28(?P=element2)\x29/smi"; content:"|3C|ul|3E|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37188; reference:cve,2009-3671; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:21994; rev:3; service:http; )
00369 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 DOM memory corruption attempt"; flow:to_client,established; file_data; content:"|22|X-UA-Compatible|22|",nocase; content:"content|3D 22|IE|3D|8|22|",distance 0,nocase; pcre:"/<\s*script.*?(?P<element2>\w+?)\x2Eparentnode\x2Eremovechild\x28(?P=element2)\x29/smi"; content:"|3C|ul|3E|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37188; reference:cve,2009-3671; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:21994; rev:3; service:http; )
00370 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CSS handling memory corruption attempt"; flow:to_client,established; file_data; content:"<style",nocase; content:"document.styleSheets[0].rules[0].style",distance 0,nocase; content:"document.styleSheets[0].cssText",distance 0,nocase; content:".font",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1919; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-034; classtype:attempted-user; sid:15732; rev:7; service:http; )
00370 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CSS handling memory corruption attempt"; flow:to_client,established; file_data; content:"<style",nocase; content:"document.styleSheets[0].rules[0].style",distance 0,nocase; content:"document.styleSheets[0].cssText",distance 0,nocase; content:".font",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1919; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-034; classtype:attempted-user; sid:15732; rev:7; service:http; )
00371 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer table layout unitialized or deleted object access attempt"; flow:to_client,established; file_data; content:"<span style=|22|position|3A| absolute|3B|writing-mode|3A| bt-rl|22|>",nocase; content:"<table style=|22|float|3A|left|3B 22|>",within 60,nocase; content:"</table>",within 20,nocase; content:"</span>",within 40,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-2531; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:misc-activity; sid:16152; rev:6; service:http; )
00371 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer table layout unitialized or deleted object access attempt"; flow:to_client,established; file_data; content:"<span style=|22|position|3A| absolute|3B|writing-mode|3A| bt-rl|22|>",nocase; content:"<table style=|22|float|3A|left|3B 22|>",within 60,nocase; content:"</table>",within 20,nocase; content:"</span>",within 40,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-2531; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:misc-activity; sid:16152; rev:6; service:http; )
00372 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onPropertyChange deleteTable memory corruption attempt"; flow:to_client,established; file_data; content:"res=document.getElementById|28|'column'|29 3B|"; content:"res.onpropertychange=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0244; classtype:misc-activity; sid:16376; rev:5; service:http; )
00372 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onPropertyChange deleteTable memory corruption attempt"; flow:to_client,established; file_data; content:"res=document.getElementById|28|'column'|29 3B|"; content:"res.onpropertychange=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0244; classtype:misc-activity; sid:16376; rev:5; service:http; )
00373 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer navigating between pages race condition attempt"; flow:to_client,established; file_data; content:"function set_timers|28 29|"; content:"setInterval|28|'flip_page|28 29|'",within 40; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0551; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:15458; rev:6; service:http; )
00373 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer navigating between pages race condition attempt"; flow:to_client,established; file_data; content:"function set_timers|28 29|"; content:"setInterval|28|'flip_page|28 29|'",within 40; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0551; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:15458; rev:6; service:http; )
00374 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted/unitialized object memory corruption attempt"; flow:to_client,established; file_data; content:"<script",nocase; content:"var arr1=new Array",distance 1; content:"history.go|28|arr1[1]|29|",distance 1; content:"arr1[i] += temp",distance 1; content:"</script",distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0552; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:15459; rev:6; service:http; )
00374 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted/unitialized object memory corruption attempt"; flow:to_client,established; file_data; content:"<script",nocase; content:"var arr1=new Array",distance 1; content:"history.go|28|arr1[1]|29|",distance 1; content:"arr1[i] += temp",distance 1; content:"</script",distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0552; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:15459; rev:6; service:http; )
00375 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt - public exploit"; flow:to_client,established; file_data; content:"100 112 99 118 109 102 110 117 46 100 114 102 97 117 101 70 118 102 110 117 79 99 106 102 99 117 40 102 118 117 41 60 32 101 111 100 117 110 101 111 116 47 103 102 116 70 108 102 109 102 110 117 66 122 73 101 40 35 115 113 49 35 41 47 105 111 110 102 114 73 84 78 76 62 34 35 59 120 105 111 100 112 119 47 115 102 116 74 110 117 101 115 118 98 108"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:16369; rev:7; service:http; )
00375 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt - public exploit"; flow:to_client,established; file_data; content:"100 112 99 118 109 102 110 117 46 100 114 102 97 117 101 70 118 102 110 117 79 99 106 102 99 117 40 102 118 117 41 60 32 101 111 100 117 110 101 111 116 47 103 102 116 70 108 102 109 102 110 117 66 122 73 101 40 35 115 113 49 35 41 47 105 111 110 102 114 73 84 78 76 62 34 35 59 120 105 111 100 112 119 47 115 102 116 74 110 117 101 115 118 98 108"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:16369; rev:7; service:http; )
00376 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer security zone restriction bypass attempt"; flow:to_client,established; file_data; content:"|2F|test|2F|setScript|2E|htm|5C 3F 5C 3C|script language|3D 5C 27|vbscript|5C 27| src|3D 5C 27|http|3A 2F 2F 3C|server|3E 2F|test|2F|test|2E|vbs|5C 27 5C 3E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-035; classtype:attempted-user; sid:16637; rev:7; service:http; )
00376 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer security zone restriction bypass attempt"; flow:to_client,established; file_data; content:"|2F|test|2F|setScript|2E|htm|5C 3F 5C 3C|script language|3D 5C 27|vbscript|5C 27| src|3D 5C 27|http|3A 2F 2F 3C|server|3E 2F|test|2F|test|2E|vbs|5C 27 5C 3E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-035; classtype:attempted-user; sid:16637; rev:7; service:http; )
00377 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid pointer memory corruption attempt"; flow:to_client,established; file_data; content:"|2E|test|20 7B|behavior|3A 20|url|28 23|default|23|userData|29|",nocase; content:"|39 39 5C 78 39 35 5C 78 39 62 5C 78 63 63 5C 78|",distance 0; content:"|39 64 5C 78 63 39 5C 78 38 38 5C 78 64 38 5C 78 39 65 5C 78 39 64 5C 78 39 35 5C 78 39 64 5C 78|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-018; classtype:attempted-user; sid:17687; rev:7; service:http; )
00377 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid pointer memory corruption attempt"; flow:to_client,established; file_data; content:"|2E|test|20 7B|behavior|3A 20|url|28 23|default|23|userData|29|",nocase; content:"|39 39 5C 78 39 35 5C 78 39 62 5C 78 63 63 5C 78|",distance 0; content:"|39 64 5C 78 63 39 5C 78 38 38 5C 78 64 38 5C 78 39 65 5C 78 39 64 5C 78 39 35 5C 78 39 64 5C 78|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-018; classtype:attempted-user; sid:17687; rev:7; service:http; )
00378 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid pointer memory corruption attempt"; flow:to_client,established; file_data; content:"|2E|test|20 7B|behavior|3A 20|url|28 23|default|23|userData|29|",nocase; content:"|61 66 5C 78 61 63 5C 78 62 64 5C 78 65 64 5C 78|",distance 0; content:"|62 64 5C 78 65 64 5C 78 61 65 5C 78 66 39 5C 78 61 62 5C 78 61 63 5C 78 62 64 5C 78 65 64 5C 78|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-018; classtype:attempted-user; sid:17686; rev:7; service:http; )
00378 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid pointer memory corruption attempt"; flow:to_client,established; file_data; content:"|2E|test|20 7B|behavior|3A 20|url|28 23|default|23|userData|29|",nocase; content:"|61 66 5C 78 61 63 5C 78 62 64 5C 78 65 64 5C 78|",distance 0; content:"|62 64 5C 78 65 64 5C 78 61 65 5C 78 66 39 5C 78 61 62 5C 78 61 63 5C 78 62 64 5C 78 65 64 5C 78|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-018; classtype:attempted-user; sid:17686; rev:7; service:http; )
00379 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid pointer memory corruption attempt"; flow:to_client,established; file_data; content:"setAttribute"; content:"document.location",distance 0; content:"about|3A 5C|u0c0c|5C|u0c0c|5C|u0c0c|5C|u0c0cblank|22|",within 40; content:"<marquee",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-018; classtype:attempted-user; sid:17685; rev:7; service:http; )
00379 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid pointer memory corruption attempt"; flow:to_client,established; file_data; content:"setAttribute"; content:"document.location",distance 0; content:"about|3A 5C|u0c0c|5C|u0c0c|5C|u0c0c|5C|u0c0cblank|22|",within 40; content:"<marquee",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-018; classtype:attempted-user; sid:17685; rev:7; service:http; )
00380 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer compressed HDMX font processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.eot; file_data; content:"|35 1E 8C F3 EA 69 54 52 D3 04 21 97 B9 56 49 31 28 EA D2 95 1D 8C 6C 5B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1883; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-076; classtype:attempted-admin; sid:17747; rev:9; service:http; service:imap; service:pop3; )
00380 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer compressed HDMX font processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.eot; file_data; content:"|35 1E 8C F3 EA 69 54 52 D3 04 21 97 B9 56 49 31 28 EA D2 95 1D 8C 6C 5B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1883; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-076; classtype:attempted-admin; sid:17747; rev:9; service:http; service:imap; service:pop3; )
00380 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer compressed HDMX font processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.eot; file_data; content:"|35 1E 8C F3 EA 69 54 52 D3 04 21 97 B9 56 49 31 28 EA D2 95 1D 8C 6C 5B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1883; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-076; classtype:attempted-admin; sid:17747; rev:9; service:http; service:imap; service:pop3; )
00380 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer compressed HDMX font processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.eot; file_data; content:"|35 1E 8C F3 EA 69 54 52 D3 04 21 97 B9 56 49 31 28 EA D2 95 1D 8C 6C 5B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1883; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-076; classtype:attempted-admin; sid:17747; rev:9; service:http; service:imap; service:pop3; )
00381 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 6 race condition exploit attempt"; flow:to_client,established; file_data; content:"|3C|meta http-equiv|3D 22|refresh|22| content|3D 22|01|22 2F 3E|"; content:"|3C|iframe src|3D 22|iframepoc.html|22 3E 3C 2F|iframe|3E|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-2558; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-053; classtype:attempted-user; sid:17136; rev:6; service:http; )
00381 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 6 race condition exploit attempt"; flow:to_client,established; file_data; content:"|3C|meta http-equiv|3D 22|refresh|22| content|3D 22|01|22 2F 3E|"; content:"|3C|iframe src|3D 22|iframepoc.html|22 3E 3C 2F|iframe|3E|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-2558; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-053; classtype:attempted-user; sid:17136; rev:6; service:http; )
00382 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 CSS XSRF exploit attempt"; flow:to_client,established; file_data; content:"alert|28|el.currentStyle.fontFamily|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3325; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17774; rev:6; service:http; )
00382 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 CSS XSRF exploit attempt"; flow:to_client,established; file_data; content:"alert|28|el.currentStyle.fontFamily|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3325; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17774; rev:6; service:http; )
00383 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 CSS invalid mapping exploit attempt"; flow:to_client,established; file_data; content:"var x = document.styleSheets|5B 30 5D 3B 0A|"; content:"var s = x.rules.item|28 30 29|.style|3B 0A|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3328; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17769; rev:7; service:http; )
00383 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 CSS invalid mapping exploit attempt"; flow:to_client,established; file_data; content:"var x = document.styleSheets|5B 30 5D 3B 0A|"; content:"var s = x.rules.item|28 30 29|.style|3B 0A|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3328; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17769; rev:7; service:http; )
00384 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer cross-domain information disclosure attempt"; flow:to_client,established; file_data; content:"var|20|s|20 3D 20|linkEle|2E|styleSheet|2E|cssText",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3330; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17771; rev:7; service:http; )
00384 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer cross-domain information disclosure attempt"; flow:to_client,established; file_data; content:"var|20|s|20 3D 20|linkEle|2E|styleSheet|2E|cssText",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3330; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17771; rev:7; service:http; )
00385 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer empty table tag memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|SPAN|22|)[0]",nocase; content:"document.createElement(|27|TR|27|)",distance 0,nocase; content:"appendChild(tr)",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1918; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-034; classtype:attempted-user; sid:15733; rev:4; service:http; )
00385 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer empty table tag memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|SPAN|22|)[0]",nocase; content:"document.createElement(|27|TR|27|)",distance 0,nocase; content:"appendChild(tr)",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1918; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-034; classtype:attempted-user; sid:15733; rev:4; service:http; )
00386 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer event handling remote code execution attempt"; flow:to_client,established; file_data; content:"function doMouseLeave",fast_pattern,nocase; content:"window|2E|event|2E|srcElement",within 100,nocase; pcre:"/doMouseLeave[^\x7D]*([^\x7D\s]*)\s*\x3D\s*window\x2Eevent\x2EsrcElement[^\x7D]*\1\x2EparentNode\x2EinnerHTML\s*\x3D\s*\x22/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0267; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:18539; rev:4; service:http; )
00386 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer event handling remote code execution attempt"; flow:to_client,established; file_data; content:"function doMouseLeave",fast_pattern,nocase; content:"window|2E|event|2E|srcElement",within 100,nocase; pcre:"/doMouseLeave[^\x7D]*([^\x7D\s]*)\s*\x3D\s*window\x2Eevent\x2EsrcElement[^\x7D]*\1\x2EparentNode\x2EinnerHTML\s*\x3D\s*\x22/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0267; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:18539; rev:4; service:http; )
00387 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer Base64 encoded script overflow attempt"; flow:to_client,established; file_data; content:"//|2A|*Start Encode**#@~^",fast_pattern,nocase; content:!"==",within 2,distance 6; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0031; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-009; classtype:attempted-admin; sid:18401; rev:7; service:http; )
00387 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer Base64 encoded script overflow attempt"; flow:to_client,established; file_data; content:"//|2A|*Start Encode**#@~^",fast_pattern,nocase; content:!"==",within 2,distance 6; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0031; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-009; classtype:attempted-admin; sid:18401; rev:7; service:http; )
00388 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Oracle Java Web Start arbitrary command execution attempt - Internet Explorer"; flow:to_client,established; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:"-XXaltjvm"; content:"launchjnlp",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16584; rev:5; service:http; )
00388 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Oracle Java Web Start arbitrary command execution attempt - Internet Explorer"; flow:to_client,established; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:"-XXaltjvm"; content:"launchjnlp",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16584; rev:5; service:http; )
00389 alert tcp $EXTERNAL_NET 80 -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Windows ShellExecute and Internet Explorer 7 url handling code execution attempt"; flow:to_client,established; content:"BEGIN|3A|VCARD"; pcre:"/^URL\x3b\w+\x3amailto\x3a[^\n]*%[^\n]*\.(cmd|bat)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:12664; rev:7; service:http; )
00389 alert tcp $EXTERNAL_NET 80 -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Windows ShellExecute and Internet Explorer 7 url handling code execution attempt"; flow:to_client,established; content:"BEGIN|3A|VCARD"; pcre:"/^URL\x3b\w+\x3amailto\x3a[^\n]*%[^\n]*\.(cmd|bat)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:12664; rev:7; service:http; )
00390 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_server,established; file_data; content:"table-layout|3A|",fast_pattern,nocase; content:"fixed",within 7,nocase; pcre:"/<\s*script.*?(?P<var>\w+)\s*=\s*document\.getElementById\s*\x28\s*[\x22\x27](?P<col_id>[^\x22\x27]+)[\x22\x27]\s*\x29.*?((?P=var)\.span.*?<\s*table.*?<col[^>]*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?>.*?<\s*\/\s*table\s*>|<\s*col.*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?span\s*=\s*[\x22\x27]?\d)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:24203; rev:3; service:smtp; )
00390 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_server,established; file_data; content:"table-layout|3A|",fast_pattern,nocase; content:"fixed",within 7,nocase; pcre:"/<\s*script.*?(?P<var>\w+)\s*=\s*document\.getElementById\s*\x28\s*[\x22\x27](?P<col_id>[^\x22\x27]+)[\x22\x27]\s*\x29.*?((?P=var)\.span.*?<\s*table.*?<col[^>]*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?>.*?<\s*\/\s*table\s*>|<\s*col.*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?span\s*=\s*[\x22\x27]?\d)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:24203; rev:3; service:smtp; )
00391 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_client,established; file_data; content:"table-layout|3A|",nocase; content:"fixed",within 7,nocase; content:"var divt = document.getElementById(|22|div_table|22|)",nocase; content:"<col id='col_id' width='41' span='9'>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:24204; rev:3; service:http; service:imap; service:pop3; )
00391 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_client,established; file_data; content:"table-layout|3A|",nocase; content:"fixed",within 7,nocase; content:"var divt = document.getElementById(|22|div_table|22|)",nocase; content:"<col id='col_id' width='41' span='9'>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:24204; rev:3; service:http; service:imap; service:pop3; )
00391 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_client,established; file_data; content:"table-layout|3A|",nocase; content:"fixed",within 7,nocase; content:"var divt = document.getElementById(|22|div_table|22|)",nocase; content:"<col id='col_id' width='41' span='9'>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:24204; rev:3; service:http; service:imap; service:pop3; )
00391 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_client,established; file_data; content:"table-layout|3A|",nocase; content:"fixed",within 7,nocase; content:"var divt = document.getElementById(|22|div_table|22|)",nocase; content:"<col id='col_id' width='41' span='9'>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:24204; rev:3; service:http; service:imap; service:pop3; )
00392 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_server,established; file_data; content:"table-layout|3A|",nocase; content:"fixed",within 7,nocase; content:"var divt = document.getElementById(|22|div_table|22|)",nocase; content:"<col id='col_id' width='41' span='9'>"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:24205; rev:4; service:smtp; )
00392 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_server,established; file_data; content:"table-layout|3A|",nocase; content:"fixed",within 7,nocase; content:"var divt = document.getElementById(|22|div_table|22|)",nocase; content:"<col id='col_id' width='41' span='9'>"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:24205; rev:4; service:smtp; )
00393 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer execCommand use-after-free attempt"; flow:to_client,established; file_data; content:"execCommand(|22|selectAll|22|)"; content:"onload=",nocase; content:"onselect=",within 50,nocase; pcre:"/body[^>]*?onload[^>]*?onselect/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.alienvault.com/labs/index.php/2012/new-internet-explorer-zero-day-being-exploited-in-the-wild/; classtype:attempted-user; sid:24210; rev:3; service:http; )
00393 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer execCommand use-after-free attempt"; flow:to_client,established; file_data; content:"execCommand(|22|selectAll|22|)"; content:"onload=",nocase; content:"onselect=",within 50,nocase; pcre:"/body[^>]*?onload[^>]*?onselect/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.alienvault.com/labs/index.php/2012/new-internet-explorer-zero-day-being-exploited-in-the-wild/; classtype:attempted-user; sid:24210; rev:3; service:http; )
00394 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer execCommand use-after-free attempt"; flow:to_client,established; file_data; content:"body",nocase; content:"onselect=",within 50,nocase; content:"selectAll"; content:"document.write",nocase; content:"execCommand",nocase; pcre:"/execCommand\x28\s*?[\x22\x27]selectAll[\x22\x27]\s*?\x29/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-4969; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-063; classtype:attempted-user; sid:24212; rev:4; service:http; )
00394 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer execCommand use-after-free attempt"; flow:to_client,established; file_data; content:"body",nocase; content:"onselect=",within 50,nocase; content:"selectAll"; content:"document.write",nocase; content:"execCommand",nocase; pcre:"/execCommand\x28\s*?[\x22\x27]selectAll[\x22\x27]\s*?\x29/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-4969; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-063; classtype:attempted-user; sid:24212; rev:4; service:http; )
00395 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer execCommand use embedded within javascript tags"; flow:to_client,established; file_data; content:"<script>",nocase; content:"execCommand(",distance 0; content:"</script>",distance 0,nocase; content:"onselect=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-4969; classtype:attempted-user; sid:24252; rev:1; service:http; )
00395 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer execCommand use embedded within javascript tags"; flow:to_client,established; file_data; content:"<script>",nocase; content:"execCommand(",distance 0; content:"</script>",distance 0,nocase; content:"onselect=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-4969; classtype:attempted-user; sid:24252; rev:1; service:http; )
00396 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_client,established; file_data; content:"redhat.mergeAttributes|28|redhat|29|"; content:"redhat.swapNode|28|redhat|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24869; rev:1; service:http; )
00396 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_client,established; file_data; content:"redhat.mergeAttributes|28|redhat|29|"; content:"redhat.swapNode|28|redhat|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24869; rev:1; service:http; )
00397 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_client,established; file_data; content:"body.mergeAttributes|28|body|29|"; content:"body.swapNode|28|body|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24870; rev:1; service:http; )
00397 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_client,established; file_data; content:"body.mergeAttributes|28|body|29|"; content:"body.swapNode|28|body|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24870; rev:1; service:http; )
00398 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_server,established; file_data; content:"redhat.mergeAttributes|28|redhat|29|"; content:"redhat.swapNode|28|redhat|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24871; rev:3; service:smtp; )
00398 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_server,established; file_data; content:"redhat.mergeAttributes|28|redhat|29|"; content:"redhat.swapNode|28|redhat|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24871; rev:3; service:smtp; )
00399 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_server,established; file_data; content:"body.mergeAttributes|28|body|29|"; content:"body.swapNode|28|body|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24872; rev:3; service:smtp; )
00399 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_server,established; file_data; content:"body.mergeAttributes|28|body|29|"; content:"body.swapNode|28|body|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24872; rev:3; service:smtp; )
00400 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid object property use after free memory corruption attempt"; flow:to_client,established; file_data; content:"getElementById"; content:"document.createElement",distance 0; content:"CollectGarbage",distance 0; content:".outerHTML",distance 0; content:"lastChild.style."; pcre:"/var\s*(\w+)\s*=\s*[\w\.]*?getElementById.*?\1\.lastChild\.style\.[a-z0-9()]\s*=\s*document\.createElement.*?CollectGarbage.*?\1\.outerHTML/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4787; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-077; classtype:attempted-dos; sid:24956; rev:2; service:http; service:imap; service:pop3; )
00400 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid object property use after free memory corruption attempt"; flow:to_client,established; file_data; content:"getElementById"; content:"document.createElement",distance 0; content:"CollectGarbage",distance 0; content:".outerHTML",distance 0; content:"lastChild.style."; pcre:"/var\s*(\w+)\s*=\s*[\w\.]*?getElementById.*?\1\.lastChild\.style\.[a-z0-9()]\s*=\s*document\.createElement.*?CollectGarbage.*?\1\.outerHTML/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4787; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-077; classtype:attempted-dos; sid:24956; rev:2; service:http; service:imap; service:pop3; )
00400 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid object property use after free memory corruption attempt"; flow:to_client,established; file_data; content:"getElementById"; content:"document.createElement",distance 0; content:"CollectGarbage",distance 0; content:".outerHTML",distance 0; content:"lastChild.style."; pcre:"/var\s*(\w+)\s*=\s*[\w\.]*?getElementById.*?\1\.lastChild\.style\.[a-z0-9()]\s*=\s*document\.createElement.*?CollectGarbage.*?\1\.outerHTML/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4787; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-077; classtype:attempted-dos; sid:24956; rev:2; service:http; service:imap; service:pop3; )
00400 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid object property use after free memory corruption attempt"; flow:to_client,established; file_data; content:"getElementById"; content:"document.createElement",distance 0; content:"CollectGarbage",distance 0; content:".outerHTML",distance 0; content:"lastChild.style."; pcre:"/var\s*(\w+)\s*=\s*[\w\.]*?getElementById.*?\1\.lastChild\.style\.[a-z0-9()]\s*=\s*document\.createElement.*?CollectGarbage.*?\1\.outerHTML/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4787; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-077; classtype:attempted-dos; sid:24956; rev:2; service:http; service:imap; service:pop3; )
00401 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:".replace|28|/jj/g,|22|%|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25125; rev:1; service:http; service:imap; service:pop3; )
00401 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:".replace|28|/jj/g,|22|%|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25125; rev:1; service:http; service:imap; service:pop3; )
00401 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:".replace|28|/jj/g,|22|%|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25125; rev:1; service:http; service:imap; service:pop3; )
00401 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:".replace|28|/jj/g,|22|%|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25125; rev:1; service:http; service:imap; service:pop3; )
00402 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"jj76jj61jj72jj20jj65jj30jj20jj3D"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25126; rev:1; service:http; service:imap; service:pop3; )
00402 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"jj76jj61jj72jj20jj65jj30jj20jj3D"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25126; rev:1; service:http; service:imap; service:pop3; )
00402 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"jj76jj61jj72jj20jj65jj30jj20jj3D"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25126; rev:1; service:http; service:imap; service:pop3; )
00402 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"jj76jj61jj72jj20jj65jj30jj20jj3D"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25126; rev:1; service:http; service:imap; service:pop3; )
00403 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; content:"<param name=|5C 22|movie|5C 22| value=|5C 22|today.swf|5C 22| />"; content:"<iframe src=news.html></iframe>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25127; rev:1; service:http; service:imap; service:pop3; )
00403 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; content:"<param name=|5C 22|movie|5C 22| value=|5C 22|today.swf|5C 22| />"; content:"<iframe src=news.html></iframe>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25127; rev:1; service:http; service:imap; service:pop3; )
00403 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; content:"<param name=|5C 22|movie|5C 22| value=|5C 22|today.swf|5C 22| />"; content:"<iframe src=news.html></iframe>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25127; rev:1; service:http; service:imap; service:pop3; )
00403 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; content:"<param name=|5C 22|movie|5C 22| value=|5C 22|today.swf|5C 22| />"; content:"<iframe src=news.html></iframe>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25127; rev:1; service:http; service:imap; service:pop3; )
00404 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"|EB D7 77 82 93 D0 7C F6 8B 08 73 08 FD 8B 6B FD|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25128; rev:1; service:http; service:imap; service:pop3; )
00404 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"|EB D7 77 82 93 D0 7C F6 8B 08 73 08 FD 8B 6B FD|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25128; rev:1; service:http; service:imap; service:pop3; )
00404 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"|EB D7 77 82 93 D0 7C F6 8B 08 73 08 FD 8B 6B FD|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25128; rev:1; service:http; service:imap; service:pop3; )
00404 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"|EB D7 77 82 93 D0 7C F6 8B 08 73 08 FD 8B 6B FD|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25128; rev:1; service:http; service:imap; service:pop3; )
00405 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"appendChild|28|"; content:"document.createElement|28|",within 50; content:"button",within 20; content:"outerText",within 200; pcre:"/appendChild\x28\s*document\x2ecreateElement\x28\s*[\x22\x27]button[\x22\x27].*?outerText\s*=\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25129; rev:1; service:http; service:imap; service:pop3; )
00405 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"appendChild|28|"; content:"document.createElement|28|",within 50; content:"button",within 20; content:"outerText",within 200; pcre:"/appendChild\x28\s*document\x2ecreateElement\x28\s*[\x22\x27]button[\x22\x27].*?outerText\s*=\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25129; rev:1; service:http; service:imap; service:pop3; )
00405 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"appendChild|28|"; content:"document.createElement|28|",within 50; content:"button",within 20; content:"outerText",within 200; pcre:"/appendChild\x28\s*document\x2ecreateElement\x28\s*[\x22\x27]button[\x22\x27].*?outerText\s*=\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25129; rev:1; service:http; service:imap; service:pop3; )
00405 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"appendChild|28|"; content:"document.createElement|28|",within 50; content:"button",within 20; content:"outerText",within 200; pcre:"/appendChild\x28\s*document\x2ecreateElement\x28\s*[\x22\x27]button[\x22\x27].*?outerText\s*=\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25129; rev:1; service:http; service:imap; service:pop3; )
00406 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:".replace|28|/jj/g,|22|%|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25130; rev:2; service:smtp; )
00406 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:".replace|28|/jj/g,|22|%|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25130; rev:2; service:smtp; )
00407 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"jj76jj61jj72jj20jj65jj30jj20jj3D"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25131; rev:2; service:smtp; )
00407 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"jj76jj61jj72jj20jj65jj30jj20jj3D"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25131; rev:2; service:smtp; )
00408 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; content:"<param name=|5C 22|movie|5C 22| value=|5C 22|today.swf|5C 22| />"; content:"<iframe src=news.html></iframe>"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25132; rev:2; service:smtp; )
00408 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; content:"<param name=|5C 22|movie|5C 22| value=|5C 22|today.swf|5C 22| />"; content:"<iframe src=news.html></iframe>"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25132; rev:2; service:smtp; )
00409 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"|EB D7 77 82 93 D0 7C F6 8B 08 73 08 FD 8B 6B FD|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25133; rev:2; service:smtp; )
00409 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"|EB D7 77 82 93 D0 7C F6 8B 08 73 08 FD 8B 6B FD|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25133; rev:2; service:smtp; )
00410 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"appendChild|28|"; content:"document.createElement|28|",within 50; content:"button",within 20; content:"outerText",within 200; pcre:"/appendChild\x28\s*document\x2ecreateElement\x28\s*[\x22\x27]button[\x22\x27].*?outerText\s*=\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25134; rev:2; service:smtp; )
00410 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"appendChild|28|"; content:"document.createElement|28|",within 50; content:"button",within 20; content:"outerText",within 200; pcre:"/appendChild\x28\s*document\x2ecreateElement\x28\s*[\x22\x27]button[\x22\x27].*?outerText\s*=\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25134; rev:2; service:smtp; )
00411 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"window.location"; content:"unescape",within 30; content:"http",within 30; pcre:"/window\x2elocation\s*=\s*unescape\s*\x28\s*["']\x25[^"']*https?\x3a/"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25234; rev:1; service:http; service:imap; service:pop3; )
00411 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"window.location"; content:"unescape",within 30; content:"http",within 30; pcre:"/window\x2elocation\s*=\s*unescape\s*\x28\s*["']\x25[^"']*https?\x3a/"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25234; rev:1; service:http; service:imap; service:pop3; )
00411 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"window.location"; content:"unescape",within 30; content:"http",within 30; pcre:"/window\x2elocation\s*=\s*unescape\s*\x28\s*["']\x25[^"']*https?\x3a/"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25234; rev:1; service:http; service:imap; service:pop3; )
00411 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"window.location"; content:"unescape",within 30; content:"http",within 30; pcre:"/window\x2elocation\s*=\s*unescape\s*\x28\s*["']\x25[^"']*https?\x3a/"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25234; rev:1; service:http; service:imap; service:pop3; )
00412 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"window.location"; content:"unescape",within 30; content:"http",within 30; pcre:"/window\x2elocation\s*=\s*unescape\s*\x28\s*["']\x25[^"']*https?\x3a/"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25235; rev:2; service:smtp; )
00412 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_server,established; file_data; content:"window.location"; content:"unescape",within 30; content:"http",within 30; pcre:"/window\x2elocation\s*=\s*unescape\s*\x28\s*["']\x25[^"']*https?\x3a/"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25235; rev:2; service:smtp; )
00413 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandstate(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25769; rev:4; service:http; )
00413 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandstate(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25769; rev:4; service:http; )
00414 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"DOMParser"; content:"createCDATASection",nocase; content:"|2E|cloneNode",nocase; content:"adoptNode",distance 0,nocase; content:"CollectGarbage()",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25770; rev:1; service:http; service:imap; service:pop3; )
00414 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"DOMParser"; content:"createCDATASection",nocase; content:"|2E|cloneNode",nocase; content:"adoptNode",distance 0,nocase; content:"CollectGarbage()",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25770; rev:1; service:http; service:imap; service:pop3; )
00414 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"DOMParser"; content:"createCDATASection",nocase; content:"|2E|cloneNode",nocase; content:"adoptNode",distance 0,nocase; content:"CollectGarbage()",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25770; rev:1; service:http; service:imap; service:pop3; )
00414 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"DOMParser"; content:"createCDATASection",nocase; content:"|2E|cloneNode",nocase; content:"adoptNode",distance 0,nocase; content:"CollectGarbage()",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25770; rev:1; service:http; service:imap; service:pop3; )
00415 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML shape object malformed path attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:"shape",nocase; content:"setAttribute(",distance 0,fast_pattern,nocase; content:"path",within 5,distance 1,nocase; isdataat:506,relative; content:!")",within 506; pcre:"/var\s*?(?P<m1>\w+)s*?=s*?document.createElement\s*?\([\x22\x27][\w]s*?[\x3a\x3b]\s*?shape[\x22\x27]\).*?(?P=m1)s*?.\s*?setAttribute\s*?\(\s*?[\x22\x27]\s*?path\s*?[\x22\x27]\s*?,\s*?[\x22\x27][^\x29]{506}.*?(?P=m1)\.s*?path/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0030; classtype:attempted-user; sid:25773; rev:4; service:http; service:imap; service:pop3; )
00415 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML shape object malformed path attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:"shape",nocase; content:"setAttribute(",distance 0,fast_pattern,nocase; content:"path",within 5,distance 1,nocase; isdataat:506,relative; content:!")",within 506; pcre:"/var\s*?(?P<m1>\w+)s*?=s*?document.createElement\s*?\([\x22\x27][\w]s*?[\x3a\x3b]\s*?shape[\x22\x27]\).*?(?P=m1)s*?.\s*?setAttribute\s*?\(\s*?[\x22\x27]\s*?path\s*?[\x22\x27]\s*?,\s*?[\x22\x27][^\x29]{506}.*?(?P=m1)\.s*?path/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0030; classtype:attempted-user; sid:25773; rev:4; service:http; service:imap; service:pop3; )
00415 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML shape object malformed path attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:"shape",nocase; content:"setAttribute(",distance 0,fast_pattern,nocase; content:"path",within 5,distance 1,nocase; isdataat:506,relative; content:!")",within 506; pcre:"/var\s*?(?P<m1>\w+)s*?=s*?document.createElement\s*?\([\x22\x27][\w]s*?[\x3a\x3b]\s*?shape[\x22\x27]\).*?(?P=m1)s*?.\s*?setAttribute\s*?\(\s*?[\x22\x27]\s*?path\s*?[\x22\x27]\s*?,\s*?[\x22\x27][^\x29]{506}.*?(?P=m1)\.s*?path/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0030; classtype:attempted-user; sid:25773; rev:4; service:http; service:imap; service:pop3; )
00415 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML shape object malformed path attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:"shape",nocase; content:"setAttribute(",distance 0,fast_pattern,nocase; content:"path",within 5,distance 1,nocase; isdataat:506,relative; content:!")",within 506; pcre:"/var\s*?(?P<m1>\w+)s*?=s*?document.createElement\s*?\([\x22\x27][\w]s*?[\x3a\x3b]\s*?shape[\x22\x27]\).*?(?P=m1)s*?.\s*?setAttribute\s*?\(\s*?[\x22\x27]\s*?path\s*?[\x22\x27]\s*?,\s*?[\x22\x27][^\x29]{506}.*?(?P=m1)\.s*?path/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0030; classtype:attempted-user; sid:25773; rev:4; service:http; service:imap; service:pop3; )
00416 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt"; flow:to_client,established; file_data; content:"<figure",nocase; content:"dir",within 50,nocase; content:"rtl",within 50,nocase; content:"&",within 50; pcre:"/<figure[^>]+?dir\s*?=\s*?[\x22\x27]\s*?rtl\s*?[\x22\x27].*?(&#?x?[a-z\d]{2,4}\x3b){100}/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25784; rev:1; service:http; service:imap; service:pop3; )
00416 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt"; flow:to_client,established; file_data; content:"<figure",nocase; content:"dir",within 50,nocase; content:"rtl",within 50,nocase; content:"&",within 50; pcre:"/<figure[^>]+?dir\s*?=\s*?[\x22\x27]\s*?rtl\s*?[\x22\x27].*?(&#?x?[a-z\d]{2,4}\x3b){100}/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25784; rev:1; service:http; service:imap; service:pop3; )
00416 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt"; flow:to_client,established; file_data; content:"<figure",nocase; content:"dir",within 50,nocase; content:"rtl",within 50,nocase; content:"&",within 50; pcre:"/<figure[^>]+?dir\s*?=\s*?[\x22\x27]\s*?rtl\s*?[\x22\x27].*?(&#?x?[a-z\d]{2,4}\x3b){100}/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25784; rev:1; service:http; service:imap; service:pop3; )
00416 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt"; flow:to_client,established; file_data; content:"<figure",nocase; content:"dir",within 50,nocase; content:"rtl",within 50,nocase; content:"&",within 50; pcre:"/<figure[^>]+?dir\s*?=\s*?[\x22\x27]\s*?rtl\s*?[\x22\x27].*?(&#?x?[a-z\d]{2,4}\x3b){100}/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25784; rev:1; service:http; service:imap; service:pop3; )
00417 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt"; flow:to_server,established; file_data; content:"<figure",nocase; content:"dir",within 50,nocase; content:"rtl",within 50,nocase; content:"&",within 50; pcre:"/<figure[^>]+?dir\s*?=\s*?[\x22\x27]\s*?rtl\s*?[\x22\x27].*?(&#?x?[a-z\d]{2,4}\x3b){100}/si"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25785; rev:2; service:smtp; )
00417 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt"; flow:to_server,established; file_data; content:"<figure",nocase; content:"dir",within 50,nocase; content:"rtl",within 50,nocase; content:"&",within 50; pcre:"/<figure[^>]+?dir\s*?=\s*?[\x22\x27]\s*?rtl\s*?[\x22\x27].*?(&#?x?[a-z\d]{2,4}\x3b){100}/si"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25785; rev:2; service:smtp; )
00418 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"<script>",nocase; content:"SelectAll",nocase; content:"execCommand|28 22|Justify",nocase; content:"execCommand|28 22|Justify",nocase; content:"SelectAll",nocase; content:"</script>",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25786; rev:1; service:http; service:imap; service:pop3; )
00418 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"<script>",nocase; content:"SelectAll",nocase; content:"execCommand|28 22|Justify",nocase; content:"execCommand|28 22|Justify",nocase; content:"SelectAll",nocase; content:"</script>",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25786; rev:1; service:http; service:imap; service:pop3; )
00418 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"<script>",nocase; content:"SelectAll",nocase; content:"execCommand|28 22|Justify",nocase; content:"execCommand|28 22|Justify",nocase; content:"SelectAll",nocase; content:"</script>",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25786; rev:1; service:http; service:imap; service:pop3; )
00418 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"<script>",nocase; content:"SelectAll",nocase; content:"execCommand|28 22|Justify",nocase; content:"execCommand|28 22|Justify",nocase; content:"SelectAll",nocase; content:"</script>",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25786; rev:1; service:http; service:imap; service:pop3; )
00419 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt"; flow:to_server,established; file_data; content:"<script>",nocase; content:"SelectAll",nocase; content:"execCommand|28 22|Justify",nocase; content:"execCommand|28 22|Justify",nocase; content:"SelectAll",nocase; content:"</script>",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25787; rev:2; service:smtp; )
00419 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt"; flow:to_server,established; file_data; content:"<script>",nocase; content:"SelectAll",nocase; content:"execCommand|28 22|Justify",nocase; content:"execCommand|28 22|Justify",nocase; content:"SelectAll",nocase; content:"</script>",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25787; rev:2; service:smtp; )
00420 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer iframe use after free attempt"; flow:to_server,established; file_data; content:"<iframe",nocase; content:!"src=",within 40; content:"></iframe"; content:"window.open",nocase; content:"name",nocase; pcre:"/<iframe[^>]+name\s*=\s*[\x22\x27](?P<iframe_name>\w+)[\x22\x27].*?><\x2fiframe\s*>.*?window\x2eopen\x28.{1,30}(?P=iframe_name).*?window\x2eopen\x28.{1,60}(?P=iframe_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0019; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25789; rev:3; service:smtp; )
00420 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer iframe use after free attempt"; flow:to_server,established; file_data; content:"<iframe",nocase; content:!"src=",within 40; content:"></iframe"; content:"window.open",nocase; content:"name",nocase; pcre:"/<iframe[^>]+name\s*=\s*[\x22\x27](?P<iframe_name>\w+)[\x22\x27].*?><\x2fiframe\s*>.*?window\x2eopen\x28.{1,30}(?P=iframe_name).*?window\x2eopen\x28.{1,60}(?P=iframe_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0019; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25789; rev:3; service:smtp; )
00421 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer SVG object user after free attempt"; flow:to_client,established; file_data; content:"image x=|22|60|22| y=|22|50|22| width=|22|240|22| height=|22|240|22| xlink|3A|href=|22|2.svg"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0023; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-admin; sid:25792; rev:2; service:http; )
00421 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer SVG object user after free attempt"; flow:to_client,established; file_data; content:"image x=|22|60|22| y=|22|50|22| width=|22|240|22| height=|22|240|22| xlink|3A|href=|22|2.svg"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0023; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-admin; sid:25792; rev:2; service:http; )
00422 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|6F 48 6F 6D 65 39 36 44 43 47 6F 48 6F 6D 65 38 33 38 33 47|"; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25984; rev:3; service:http; service:imap; service:pop3; )
00422 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|6F 48 6F 6D 65 39 36 44 43 47 6F 48 6F 6D 65 38 33 38 33 47|"; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25984; rev:3; service:http; service:imap; service:pop3; )
00422 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|6F 48 6F 6D 65 39 36 44 43 47 6F 48 6F 6D 65 38 33 38 33 47|"; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25984; rev:3; service:http; service:imap; service:pop3; )
00422 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|6F 48 6F 6D 65 39 36 44 43 47 6F 48 6F 6D 65 38 33 38 33 47|"; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25984; rev:3; service:http; service:imap; service:pop3; )
00423 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_server,established; file_data; content:"|6F 48 6F 6D 65 39 36 44 43 47 6F 48 6F 6D 65 38 33 38 33 47|"; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25985; rev:4; service:smtp; )
00423 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_server,established; file_data; content:"|6F 48 6F 6D 65 39 36 44 43 47 6F 48 6F 6D 65 38 33 38 33 47|"; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25985; rev:4; service:smtp; )
00424 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_server,established; file_data; content:"|3C|script|3E|",nocase; content:"|2E|style|2E|behavior",nocase; content:"|23|default|23|userData",distance 0,nocase; content:"setAttribute|28|"; pcre:"/(?P<obj>[A-Z\d_]+)\x2Estyle\x2Ebehavior\s*\x3D\s*\x22url\x28\x27\x23default\x23userData\x27\x29\x22.*?(?P=obj)\x2EsetAttribute\x28[^,]+,\s*[A-Z]/smi"; content:"|3C 2F|script|3E|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25986; rev:2; service:smtp; )
00424 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_server,established; file_data; content:"|3C|script|3E|",nocase; content:"|2E|style|2E|behavior",nocase; content:"|23|default|23|userData",distance 0,nocase; content:"setAttribute|28|"; pcre:"/(?P<obj>[A-Z\d_]+)\x2Estyle\x2Ebehavior\s*\x3D\s*\x22url\x28\x27\x23default\x23userData\x27\x29\x22.*?(?P=obj)\x2EsetAttribute\x28[^,]+,\s*[A-Z]/smi"; content:"|3C 2F|script|3E|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25986; rev:2; service:smtp; )
00425 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer ANI file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ani; file_data; content:"RIFF",depth 4; content:"ACON",within 4,distance 4; content:"anih",distance 0,nocase; byte_test:4,>,36,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http,service imap,service pop3; reference:cve,2004-1049; reference:cve,2007-0038; reference:cve,2007-1765; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-017; classtype:attempted-user; sid:3079; rev:19; service:http; service:imap; service:pop3; )
00425 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer ANI file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ani; file_data; content:"RIFF",depth 4; content:"ACON",within 4,distance 4; content:"anih",distance 0,nocase; byte_test:4,>,36,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http,service imap,service pop3; reference:cve,2004-1049; reference:cve,2007-0038; reference:cve,2007-1765; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-017; classtype:attempted-user; sid:3079; rev:19; service:http; service:imap; service:pop3; )
00425 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer ANI file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ani; file_data; content:"RIFF",depth 4; content:"ACON",within 4,distance 4; content:"anih",distance 0,nocase; byte_test:4,>,36,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http,service imap,service pop3; reference:cve,2004-1049; reference:cve,2007-0038; reference:cve,2007-1765; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-017; classtype:attempted-user; sid:3079; rev:19; service:http; service:imap; service:pop3; )
00425 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer ANI file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ani; file_data; content:"RIFF",depth 4; content:"ACON",within 4,distance 4; content:"anih",distance 0,nocase; byte_test:4,>,36,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http,service imap,service pop3; reference:cve,2004-1049; reference:cve,2007-0038; reference:cve,2007-1765; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-017; classtype:attempted-user; sid:3079; rev:19; service:http; service:imap; service:pop3; )
00426 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 2D-position use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand"; content:"2D-position",within 100,fast_pattern,nocase; content:"contenteditable",distance 0,nocase; content:"true",within 10,nocase; content:"onresize",distance 0,nocase; content:"document.write",within 30; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26125; rev:1; service:http; service:imap; service:pop3; )
00426 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 2D-position use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand"; content:"2D-position",within 100,fast_pattern,nocase; content:"contenteditable",distance 0,nocase; content:"true",within 10,nocase; content:"onresize",distance 0,nocase; content:"document.write",within 30; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26125; rev:1; service:http; service:imap; service:pop3; )
00426 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 2D-position use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand"; content:"2D-position",within 100,fast_pattern,nocase; content:"contenteditable",distance 0,nocase; content:"true",within 10,nocase; content:"onresize",distance 0,nocase; content:"document.write",within 30; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26125; rev:1; service:http; service:imap; service:pop3; )
00426 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 2D-position use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand"; content:"2D-position",within 100,fast_pattern,nocase; content:"contenteditable",distance 0,nocase; content:"true",within 10,nocase; content:"onresize",distance 0,nocase; content:"document.write",within 30; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26125; rev:1; service:http; service:imap; service:pop3; )
00427 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer htc file use after free attempt"; flow:to_client,established; flowbits:isset,file.htc; file_data; content:"<PUBLIC:PROPERTY"; content:"PUT",distance 0; content:"CollectGarbage()"; pcre:"/<PUBLIC:PROPERTY[^>]*?PUT\s*=\s*[\x22\x27](?P<func>\w*).*?function\s*(?P=func).*?\x7b[^\x7c]*?CollectGarbage\x28\x29/sm"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26129; rev:2; service:http; service:imap; service:pop3; )
00427 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer htc file use after free attempt"; flow:to_client,established; flowbits:isset,file.htc; file_data; content:"<PUBLIC:PROPERTY"; content:"PUT",distance 0; content:"CollectGarbage()"; pcre:"/<PUBLIC:PROPERTY[^>]*?PUT\s*=\s*[\x22\x27](?P<func>\w*).*?function\s*(?P=func).*?\x7b[^\x7c]*?CollectGarbage\x28\x29/sm"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26129; rev:2; service:http; service:imap; service:pop3; )
00427 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer htc file use after free attempt"; flow:to_client,established; flowbits:isset,file.htc; file_data; content:"<PUBLIC:PROPERTY"; content:"PUT",distance 0; content:"CollectGarbage()"; pcre:"/<PUBLIC:PROPERTY[^>]*?PUT\s*=\s*[\x22\x27](?P<func>\w*).*?function\s*(?P=func).*?\x7b[^\x7c]*?CollectGarbage\x28\x29/sm"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26129; rev:2; service:http; service:imap; service:pop3; )
00427 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer htc file use after free attempt"; flow:to_client,established; flowbits:isset,file.htc; file_data; content:"<PUBLIC:PROPERTY"; content:"PUT",distance 0; content:"CollectGarbage()"; pcre:"/<PUBLIC:PROPERTY[^>]*?PUT\s*=\s*[\x22\x27](?P<func>\w*).*?function\s*(?P=func).*?\x7b[^\x7c]*?CollectGarbage\x28\x29/sm"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26129; rev:2; service:http; service:imap; service:pop3; )
00428 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer htc file use after free attempt"; flow:to_server,established; flowbits:isset,file.htc; file_data; content:"<PUBLIC:PROPERTY"; content:"PUT",distance 0; content:"CollectGarbage()"; pcre:"/<PUBLIC:PROPERTY[^>]*?PUT\s*=\s*[\x22\x27](?P<func>\w*).*?function\s*(?P=func).*?\x7b[^\x7c]*?CollectGarbage\x28\x29/sm"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26130; rev:2; service:smtp; )
00428 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer htc file use after free attempt"; flow:to_server,established; flowbits:isset,file.htc; file_data; content:"<PUBLIC:PROPERTY"; content:"PUT",distance 0; content:"CollectGarbage()"; pcre:"/<PUBLIC:PROPERTY[^>]*?PUT\s*=\s*[\x22\x27](?P<func>\w*).*?function\s*(?P=func).*?\x7b[^\x7c]*?CollectGarbage\x28\x29/sm"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26130; rev:2; service:smtp; )
00429 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_client,established; file_data; content:"behavior",nocase; content:"url",within 5,nocase; content:"#savehistory",distance 0,fast_pattern,nocase; content:".outerHTML",distance 0,nocase; pcre:"/<\s*meta[^>]*?(?>content\s*=\s*"history"[^>]*?name\s*=\s*"save"|name\s*=\s*"save"[^>]*?content\s*=\s*"history")\s*>.*?<\s*style[^>]*?>.*?\.(?P<class>\w+)\s*\{[^}]*?behavior\s*\:[^\;]*?url\s*\x28[^\x29]*?#savehistory[^\x29]*?\x29.*?(?P<element>\w+)\.outerHTML\s*=.*?id\s*=\s*[\x22\x27](?P=element)[\x22\x27].*?class=[\x22\x27]?(?P=class)[\x23\x27]?/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-dos; sid:26132; rev:2; service:http; service:imap; service:pop3; )
00429 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_client,established; file_data; content:"behavior",nocase; content:"url",within 5,nocase; content:"#savehistory",distance 0,fast_pattern,nocase; content:".outerHTML",distance 0,nocase; pcre:"/<\s*meta[^>]*?(?>content\s*=\s*"history"[^>]*?name\s*=\s*"save"|name\s*=\s*"save"[^>]*?content\s*=\s*"history")\s*>.*?<\s*style[^>]*?>.*?\.(?P<class>\w+)\s*\{[^}]*?behavior\s*\:[^\;]*?url\s*\x28[^\x29]*?#savehistory[^\x29]*?\x29.*?(?P<element>\w+)\.outerHTML\s*=.*?id\s*=\s*[\x22\x27](?P=element)[\x22\x27].*?class=[\x22\x27]?(?P=class)[\x23\x27]?/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-dos; sid:26132; rev:2; service:http; service:imap; service:pop3; )
00429 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_client,established; file_data; content:"behavior",nocase; content:"url",within 5,nocase; content:"#savehistory",distance 0,fast_pattern,nocase; content:".outerHTML",distance 0,nocase; pcre:"/<\s*meta[^>]*?(?>content\s*=\s*"history"[^>]*?name\s*=\s*"save"|name\s*=\s*"save"[^>]*?content\s*=\s*"history")\s*>.*?<\s*style[^>]*?>.*?\.(?P<class>\w+)\s*\{[^}]*?behavior\s*\:[^\;]*?url\s*\x28[^\x29]*?#savehistory[^\x29]*?\x29.*?(?P<element>\w+)\.outerHTML\s*=.*?id\s*=\s*[\x22\x27](?P=element)[\x22\x27].*?class=[\x22\x27]?(?P=class)[\x23\x27]?/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-dos; sid:26132; rev:2; service:http; service:imap; service:pop3; )
00429 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_client,established; file_data; content:"behavior",nocase; content:"url",within 5,nocase; content:"#savehistory",distance 0,fast_pattern,nocase; content:".outerHTML",distance 0,nocase; pcre:"/<\s*meta[^>]*?(?>content\s*=\s*"history"[^>]*?name\s*=\s*"save"|name\s*=\s*"save"[^>]*?content\s*=\s*"history")\s*>.*?<\s*style[^>]*?>.*?\.(?P<class>\w+)\s*\{[^}]*?behavior\s*\:[^\;]*?url\s*\x28[^\x29]*?#savehistory[^\x29]*?\x29.*?(?P<element>\w+)\.outerHTML\s*=.*?id\s*=\s*[\x22\x27](?P=element)[\x22\x27].*?class=[\x22\x27]?(?P=class)[\x23\x27]?/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-dos; sid:26132; rev:2; service:http; service:imap; service:pop3; )
00430 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_server,established; file_data; content:"behavior",nocase; content:"url",within 5,nocase; content:"#savehistory",distance 0,fast_pattern,nocase; content:".outerHTML",distance 0,nocase; pcre:"/<\s*meta[^>]*?(?>content\s*=\s*"history"[^>]*?name\s*=\s*"save"|name\s*=\s*"save"[^>]*?content\s*=\s*"history")\s*>.*?<\s*style[^>]*?>.*?\.(?P<class>\w+)\s*\{[^}]*?behavior\s*\:[^\;]*?url\s*\x28[^\x29]*?#savehistory[^\x29]*?\x29.*?(?P<element>\w+)\.outerHTML\s*=.*?id\s*=\s*[\x22\x27](?P=element)[\x22\x27].*?class=[\x22\x27]?(?P=class)[\x23\x27]?/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-dos; sid:26133; rev:3; service:smtp; )
00430 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_server,established; file_data; content:"behavior",nocase; content:"url",within 5,nocase; content:"#savehistory",distance 0,fast_pattern,nocase; content:".outerHTML",distance 0,nocase; pcre:"/<\s*meta[^>]*?(?>content\s*=\s*"history"[^>]*?name\s*=\s*"save"|name\s*=\s*"save"[^>]*?content\s*=\s*"history")\s*>.*?<\s*style[^>]*?>.*?\.(?P<class>\w+)\s*\{[^}]*?behavior\s*\:[^\;]*?url\s*\x28[^\x29]*?#savehistory[^\x29]*?\x29.*?(?P<element>\w+)\.outerHTML\s*=.*?id\s*=\s*[\x22\x27](?P=element)[\x22\x27].*?class=[\x22\x27]?(?P=class)[\x23\x27]?/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-dos; sid:26133; rev:3; service:smtp; )
00431 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"<title onreadystatechange ="; content:"style = '-ms-behavior: url(",within 50,distance 10,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0091; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26134; rev:1; service:http; service:imap; service:pop3; )
00431 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"<title onreadystatechange ="; content:"style = '-ms-behavior: url(",within 50,distance 10,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0091; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26134; rev:1; service:http; service:imap; service:pop3; )
00431 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"<title onreadystatechange ="; content:"style = '-ms-behavior: url(",within 50,distance 10,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0091; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26134; rev:1; service:http; service:imap; service:pop3; )
00431 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"<title onreadystatechange ="; content:"style = '-ms-behavior: url(",within 50,distance 10,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0091; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26134; rev:1; service:http; service:imap; service:pop3; )
00432 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_client,established; file_data; content:".saveHistory {behavior|3A|url(#default#savehistory)|3B|}"; content:"CLASS=saveHistory onsave=",nocase; content:"setTimeout"; content:"document.open()"; content:"document.createElement(",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26135; rev:1; service:http; service:imap; service:pop3; )
00432 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_client,established; file_data; content:".saveHistory {behavior|3A|url(#default#savehistory)|3B|}"; content:"CLASS=saveHistory onsave=",nocase; content:"setTimeout"; content:"document.open()"; content:"document.createElement(",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26135; rev:1; service:http; service:imap; service:pop3; )
00432 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_client,established; file_data; content:".saveHistory {behavior|3A|url(#default#savehistory)|3B|}"; content:"CLASS=saveHistory onsave=",nocase; content:"setTimeout"; content:"document.open()"; content:"document.createElement(",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26135; rev:1; service:http; service:imap; service:pop3; )
00432 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_client,established; file_data; content:".saveHistory {behavior|3A|url(#default#savehistory)|3B|}"; content:"CLASS=saveHistory onsave=",nocase; content:"setTimeout"; content:"document.open()"; content:"document.createElement(",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26135; rev:1; service:http; service:imap; service:pop3; )
00433 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_server,established; file_data; content:".saveHistory {behavior|3A|url(#default#savehistory)|3B|}"; content:"CLASS=saveHistory onsave=",nocase; content:"setTimeout"; content:"document.open()"; content:"document.createElement(",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26136; rev:1; service:smtp; )
00433 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_server,established; file_data; content:".saveHistory {behavior|3A|url(#default#savehistory)|3B|}"; content:"CLASS=saveHistory onsave=",nocase; content:"setTimeout"; content:"document.open()"; content:"document.createElement(",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26136; rev:1; service:smtp; )
00434 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 onBeforeCopy use after free attempt"; flow:to_client,established; file_data; content:"<body onload=|27|document.execCommand(|22|SelectAll|22|)|3B 27| onbeforecopy="; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26137; rev:1; service:http; service:imap; service:pop3; )
00434 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 onBeforeCopy use after free attempt"; flow:to_client,established; file_data; content:"<body onload=|27|document.execCommand(|22|SelectAll|22|)|3B 27| onbeforecopy="; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26137; rev:1; service:http; service:imap; service:pop3; )
00434 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 onBeforeCopy use after free attempt"; flow:to_client,established; file_data; content:"<body onload=|27|document.execCommand(|22|SelectAll|22|)|3B 27| onbeforecopy="; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26137; rev:1; service:http; service:imap; service:pop3; )
00434 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 onBeforeCopy use after free attempt"; flow:to_client,established; file_data; content:"<body onload=|27|document.execCommand(|22|SelectAll|22|)|3B 27| onbeforecopy="; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26137; rev:1; service:http; service:imap; service:pop3; )
00435 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 onBeforeCopy use after free attempt"; flow:to_server,established; file_data; content:"<body onload=|27|document.execCommand(|22|SelectAll|22|)|3B 27| onbeforecopy="; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26138; rev:2; service:smtp; )
00435 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 onBeforeCopy use after free attempt"; flow:to_server,established; file_data; content:"<body onload=|27|document.execCommand(|22|SelectAll|22|)|3B 27| onbeforecopy="; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26138; rev:2; service:smtp; )
00436 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandstate(",nocase; content:"copy",within 5,nocase; content:"onbeforecopy"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26216; rev:2; service:http; )
00436 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandstate(",nocase; content:"copy",within 5,nocase; content:"onbeforecopy"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26216; rev:2; service:http; )
00437 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandstate(",nocase; content:"cut",within 4,nocase; content:"onbeforecut"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26217; rev:2; service:http; )
00437 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandstate(",nocase; content:"cut",within 4,nocase; content:"onbeforecut"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26217; rev:2; service:http; )
00438 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandenabled(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26218; rev:2; service:http; )
00438 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandenabled(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26218; rev:2; service:http; )
00439 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandenabled(",nocase; content:"copy",within 5,nocase; content:"onbeforecopy"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26219; rev:2; service:http; )
00439 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandenabled(",nocase; content:"copy",within 5,nocase; content:"onbeforecopy"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26219; rev:2; service:http; )
00440 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandenabled(",nocase; content:"cut",within 4,nocase; content:"onbeforecut"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26220; rev:2; service:http; )
00440 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandenabled(",nocase; content:"cut",within 4,nocase; content:"onbeforecut"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26220; rev:2; service:http; )
00441 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandindeterm(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26221; rev:2; service:http; )
00441 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandindeterm(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26221; rev:2; service:http; )
00442 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandindeterm(",nocase; content:"copy",within 5,nocase; content:"onbeforecopy"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26222; rev:2; service:http; )
00442 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandindeterm(",nocase; content:"copy",within 5,nocase; content:"onbeforecopy"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26222; rev:2; service:http; )
00443 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandindeterm(",nocase; content:"cut",within 4,nocase; content:"onbeforecut"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26223; rev:2; service:http; )
00443 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandindeterm(",nocase; content:"cut",within 4,nocase; content:"onbeforecut"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26223; rev:2; service:http; )
00444 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandvalue(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26224; rev:2; service:http; )
00444 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandvalue(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26224; rev:2; service:http; )
00445 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandvalue(",nocase; content:"copy",within 5,nocase; content:"onbeforecopy"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26225; rev:2; service:http; )
00445 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandvalue(",nocase; content:"copy",within 5,nocase; content:"onbeforecopy"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26225; rev:2; service:http; )
00446 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer isComponentInstalled attack attempt"; flow:to_client,established; file_data; content:"isComponentInstalled|28|boom"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:cve,2006-1016; reference:bugtraq,16870; classtype:attempted-user; sid:13912; rev:6; service:http; )
00446 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer isComponentInstalled attack attempt"; flow:to_client,established; file_data; content:"isComponentInstalled|28|boom"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:cve,2006-1016; reference:bugtraq,16870; classtype:attempted-user; sid:13912; rev:6; service:http; )
00447 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_client,established; file_data; content:"offsetParent",fast_pattern; content:"null",within 10,nocase; content:"createElement"; content:"datalist",within 20; content:"createElement"; content:"table",within 20; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26569; rev:2; service:http; service:imap; service:pop3; )
00447 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_client,established; file_data; content:"offsetParent",fast_pattern; content:"null",within 10,nocase; content:"createElement"; content:"datalist",within 20; content:"createElement"; content:"table",within 20; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26569; rev:2; service:http; service:imap; service:pop3; )
00447 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_client,established; file_data; content:"offsetParent",fast_pattern; content:"null",within 10,nocase; content:"createElement"; content:"datalist",within 20; content:"createElement"; content:"table",within 20; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26569; rev:2; service:http; service:imap; service:pop3; )
00447 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_client,established; file_data; content:"offsetParent",fast_pattern; content:"null",within 10,nocase; content:"createElement"; content:"datalist",within 20; content:"createElement"; content:"table",within 20; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26569; rev:2; service:http; service:imap; service:pop3; )
00448 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_server,established; file_data; content:"offsetParent",fast_pattern; content:"null",within 10,nocase; content:"createElement"; content:"datalist",within 20; content:"createElement"; content:"table",within 20; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26571; rev:2; service:smtp; )
00448 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_server,established; file_data; content:"offsetParent",fast_pattern; content:"null",within 10,nocase; content:"createElement"; content:"datalist",within 20; content:"createElement"; content:"table",within 20; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26571; rev:2; service:smtp; )
00449 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt"; flow:to_server,established; file_data; content:"|3C 3F|IMPORT namespace=|22|",nocase; content:"implementation=|22|#default#VML|22 3E|",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,52906; reference:cve,2012-0172; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-023; classtype:attempted-user; sid:26584; rev:2; service:smtp; )
00449 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt"; flow:to_server,established; file_data; content:"|3C 3F|IMPORT namespace=|22|",nocase; content:"implementation=|22|#default#VML|22 3E|",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,52906; reference:cve,2012-0172; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-023; classtype:attempted-user; sid:26584; rev:2; service:smtp; )
00450 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Windows Live Writer wlw protocol handler information disclosure attempt"; flow:to_client,established; file_data; content:"wlw|3A|//",fast_pattern,nocase; content:"/perflog",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-045; classtype:attempted-recon; sid:26622; rev:1; service:http; service:imap; service:pop3; )
00450 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Windows Live Writer wlw protocol handler information disclosure attempt"; flow:to_client,established; file_data; content:"wlw|3A|//",fast_pattern,nocase; content:"/perflog",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-045; classtype:attempted-recon; sid:26622; rev:1; service:http; service:imap; service:pop3; )
00450 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Windows Live Writer wlw protocol handler information disclosure attempt"; flow:to_client,established; file_data; content:"wlw|3A|//",fast_pattern,nocase; content:"/perflog",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-045; classtype:attempted-recon; sid:26622; rev:1; service:http; service:imap; service:pop3; )
00450 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Windows Live Writer wlw protocol handler information disclosure attempt"; flow:to_client,established; file_data; content:"wlw|3A|//",fast_pattern,nocase; content:"/perflog",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-045; classtype:attempted-recon; sid:26622; rev:1; service:http; service:imap; service:pop3; )
00451 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Windows Live Writer wlw protocol handler information disclosure attempt"; flow:to_client,established; file_data; content:"wlw|3A|//",fast_pattern,nocase; content:"/proxy",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-045; classtype:attempted-recon; sid:26623; rev:1; service:http; service:imap; service:pop3; )
00451 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Windows Live Writer wlw protocol handler information disclosure attempt"; flow:to_client,established; file_data; content:"wlw|3A|//",fast_pattern,nocase; content:"/proxy",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-045; classtype:attempted-recon; sid:26623; rev:1; service:http; service:imap; service:pop3; )
00451 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Windows Live Writer wlw protocol handler information disclosure attempt"; flow:to_client,established; file_data; content:"wlw|3A|//",fast_pattern,nocase; content:"/proxy",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-045; classtype:attempted-recon; sid:26623; rev:1; service:http; service:imap; service:pop3; )
00451 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Windows Live Writer wlw protocol handler information disclosure attempt"; flow:to_client,established; file_data; content:"wlw|3A|//",fast_pattern,nocase; content:"/proxy",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-045; classtype:attempted-recon; sid:26623; rev:1; service:http; service:imap; service:pop3; )
00452 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 7-9 VBScript JSON reference information disclosure attempt"; flow:to_client,established; file_data; content:"language=vbs",depth 200; content:"<script",within 200,distance -150; pcre:"/<script[^>]*src\s*=\s*[\x22\x27][^\x22\x27]*\.json[\x22\x27][^>]*language=vbs/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1297; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-recon; sid:26624; rev:1; service:http; service:imap; service:pop3; )
00452 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 7-9 VBScript JSON reference information disclosure attempt"; flow:to_client,established; file_data; content:"language=vbs",depth 200; content:"<script",within 200,distance -150; pcre:"/<script[^>]*src\s*=\s*[\x22\x27][^\x22\x27]*\.json[\x22\x27][^>]*language=vbs/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1297; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-recon; sid:26624; rev:1; service:http; service:imap; service:pop3; )
00452 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 7-9 VBScript JSON reference information disclosure attempt"; flow:to_client,established; file_data; content:"language=vbs",depth 200; content:"<script",within 200,distance -150; pcre:"/<script[^>]*src\s*=\s*[\x22\x27][^\x22\x27]*\.json[\x22\x27][^>]*language=vbs/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1297; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-recon; sid:26624; rev:1; service:http; service:imap; service:pop3; )
00452 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 7-9 VBScript JSON reference information disclosure attempt"; flow:to_client,established; file_data; content:"language=vbs",depth 200; content:"<script",within 200,distance -150; pcre:"/<script[^>]*src\s*=\s*[\x22\x27][^\x22\x27]*\.json[\x22\x27][^>]*language=vbs/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1297; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-recon; sid:26624; rev:1; service:http; service:imap; service:pop3; )
00453 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 7-9 VBScript JSON reference information disclosure attempt"; flow:to_server,established; file_data; content:"language=vbs",depth 200; content:"<script",within 200,distance -150; pcre:"/<script[^>]*src\s*=\s*[\x22\x27][^\x22\x27]*\.json[\x22\x27][^>]*language=vbs/i"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1297; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-recon; sid:26625; rev:1; service:smtp; )
00453 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 7-9 VBScript JSON reference information disclosure attempt"; flow:to_server,established; file_data; content:"language=vbs",depth 200; content:"<script",within 200,distance -150; pcre:"/<script[^>]*src\s*=\s*[\x22\x27][^\x22\x27]*\.json[\x22\x27][^>]*language=vbs/i"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1297; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-recon; sid:26625; rev:1; service:smtp; )
00454 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer setInterval focus use after free attempt"; flow:to_client,established; file_data; content:"setInterval"; content:".focus()",within 100; content:"history.go(0)"; pcre:"/setInterval\s*\x28[^\x29]+\x2efocus\x28\x29/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-1308; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-037; classtype:attempted-admin; sid:26629; rev:2; service:http; )
00454 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer setInterval focus use after free attempt"; flow:to_client,established; file_data; content:"setInterval"; content:".focus()",within 100; content:"history.go(0)"; pcre:"/setInterval\s*\x28[^\x29]+\x2efocus\x28\x29/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-1308; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-037; classtype:attempted-admin; sid:26629; rev:2; service:http; )
00455 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_client,established; file_data; content:"<q class=|22|border float zoom|22| xml:space=|22|preserve|22|>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26630; rev:1; service:http; service:imap; service:pop3; )
00455 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_client,established; file_data; content:"<q class=|22|border float zoom|22| xml:space=|22|preserve|22|>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26630; rev:1; service:http; service:imap; service:pop3; )
00455 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_client,established; file_data; content:"<q class=|22|border float zoom|22| xml:space=|22|preserve|22|>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26630; rev:1; service:http; service:imap; service:pop3; )
00455 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_client,established; file_data; content:"<q class=|22|border float zoom|22| xml:space=|22|preserve|22|>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26630; rev:1; service:http; service:imap; service:pop3; )
00456 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_server,established; file_data; content:"<q class=|22|border float zoom|22| xml:space=|22|preserve|22|>"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26631; rev:1; service:smtp; )
00456 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_server,established; file_data; content:"<q class=|22|border float zoom|22| xml:space=|22|preserve|22|>"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26631; rev:1; service:smtp; )
00457 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_client,established; file_data; content:"document.createElement|28|",depth 100,nocase; content:".innerHTML",distance 0,nocase; content:"document.body.appendChild|28|",distance 0; content:"document.styleSheets",distance 0,nocase; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|function",distance 0,nocase; content:"onload=|27|setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26634; rev:3; service:http; service:imap; service:pop3; )
00457 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_client,established; file_data; content:"document.createElement|28|",depth 100,nocase; content:".innerHTML",distance 0,nocase; content:"document.body.appendChild|28|",distance 0; content:"document.styleSheets",distance 0,nocase; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|function",distance 0,nocase; content:"onload=|27|setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26634; rev:3; service:http; service:imap; service:pop3; )
00457 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_client,established; file_data; content:"document.createElement|28|",depth 100,nocase; content:".innerHTML",distance 0,nocase; content:"document.body.appendChild|28|",distance 0; content:"document.styleSheets",distance 0,nocase; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|function",distance 0,nocase; content:"onload=|27|setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26634; rev:3; service:http; service:imap; service:pop3; )
00457 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_client,established; file_data; content:"document.createElement|28|",depth 100,nocase; content:".innerHTML",distance 0,nocase; content:"document.body.appendChild|28|",distance 0; content:"document.styleSheets",distance 0,nocase; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|function",distance 0,nocase; content:"onload=|27|setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26634; rev:3; service:http; service:imap; service:pop3; )
00458 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_server,established; file_data; content:"document.createElement|28|",nocase; content:".innerHTML",distance 0,nocase; content:"document.body.appendChild|28|",distance 0; content:"document.styleSheets",distance 0,nocase; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|function",distance 0,nocase; content:"onload=|27|setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26635; rev:3; service:smtp; )
00458 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_server,established; file_data; content:"document.createElement|28|",nocase; content:".innerHTML",distance 0,nocase; content:"document.body.appendChild|28|",distance 0; content:"document.styleSheets",distance 0,nocase; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|function",distance 0,nocase; content:"onload=|27|setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26635; rev:3; service:smtp; )
00459 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt"; flow:to_client,established; file_data; content:".focusNode"; content:"focusNode.dispatchEvent",distance 0; content:"CollectGarbage",distance 0; content:"previousSibling",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1312; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26636; rev:3; service:http; service:imap; service:pop3; )
00459 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt"; flow:to_client,established; file_data; content:".focusNode"; content:"focusNode.dispatchEvent",distance 0; content:"CollectGarbage",distance 0; content:"previousSibling",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1312; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26636; rev:3; service:http; service:imap; service:pop3; )
00459 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt"; flow:to_client,established; file_data; content:".focusNode"; content:"focusNode.dispatchEvent",distance 0; content:"CollectGarbage",distance 0; content:"previousSibling",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1312; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26636; rev:3; service:http; service:imap; service:pop3; )
00459 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt"; flow:to_client,established; file_data; content:".focusNode"; content:"focusNode.dispatchEvent",distance 0; content:"CollectGarbage",distance 0; content:"previousSibling",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1312; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26636; rev:3; service:http; service:imap; service:pop3; )
00460 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt"; flow:to_server,established; file_data; content:".focusNode"; content:"focusNode.dispatchEvent",distance 0; content:"CollectGarbage",distance 0; content:"previousSibling",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1312; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26637; rev:4; service:smtp; )
00460 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt"; flow:to_server,established; file_data; content:".focusNode"; content:"focusNode.dispatchEvent",distance 0; content:"CollectGarbage",distance 0; content:"previousSibling",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1312; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26637; rev:4; service:smtp; )
00461 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML array with negative length memory corruption attempt"; flow:to_client,established; file_data; content:"#default#VML"; content:".dashstyle.array.length"; pcre:"/\.dashstyle\.array\.length\s*?=[^\x3b]*?-\s*?\d/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58570; reference:cve,2013-2551; reference:url,osvdb.org/show/osvdb/91197; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26638; rev:3; service:http; service:imap; service:pop3; )
00461 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML array with negative length memory corruption attempt"; flow:to_client,established; file_data; content:"#default#VML"; content:".dashstyle.array.length"; pcre:"/\.dashstyle\.array\.length\s*?=[^\x3b]*?-\s*?\d/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58570; reference:cve,2013-2551; reference:url,osvdb.org/show/osvdb/91197; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26638; rev:3; service:http; service:imap; service:pop3; )
00461 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML array with negative length memory corruption attempt"; flow:to_client,established; file_data; content:"#default#VML"; content:".dashstyle.array.length"; pcre:"/\.dashstyle\.array\.length\s*?=[^\x3b]*?-\s*?\d/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58570; reference:cve,2013-2551; reference:url,osvdb.org/show/osvdb/91197; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26638; rev:3; service:http; service:imap; service:pop3; )
00461 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML array with negative length memory corruption attempt"; flow:to_client,established; file_data; content:"#default#VML"; content:".dashstyle.array.length"; pcre:"/\.dashstyle\.array\.length\s*?=[^\x3b]*?-\s*?\d/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58570; reference:cve,2013-2551; reference:url,osvdb.org/show/osvdb/91197; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26638; rev:3; service:http; service:imap; service:pop3; )
00462 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle memory corruption attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:".runtimeStyle",within 100,fast_pattern,nocase; content:".border",within 100,nocase; pcre:"/var\s+?(?P<var>[^\s]+?)\s*?=\s*?document\.createElement\(.*?(?P=var)\.runtimeStyle.*?\.border[^=\x3b]*?=\s*?[^\x3b]*?[\x22\x27](\d+?\s|\s+?\d)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1307; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26641; rev:2; service:http; service:imap; service:pop3; )
00462 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle memory corruption attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:".runtimeStyle",within 100,fast_pattern,nocase; content:".border",within 100,nocase; pcre:"/var\s+?(?P<var>[^\s]+?)\s*?=\s*?document\.createElement\(.*?(?P=var)\.runtimeStyle.*?\.border[^=\x3b]*?=\s*?[^\x3b]*?[\x22\x27](\d+?\s|\s+?\d)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1307; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26641; rev:2; service:http; service:imap; service:pop3; )
00462 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle memory corruption attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:".runtimeStyle",within 100,fast_pattern,nocase; content:".border",within 100,nocase; pcre:"/var\s+?(?P<var>[^\s]+?)\s*?=\s*?document\.createElement\(.*?(?P=var)\.runtimeStyle.*?\.border[^=\x3b]*?=\s*?[^\x3b]*?[\x22\x27](\d+?\s|\s+?\d)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1307; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26641; rev:2; service:http; service:imap; service:pop3; )
00462 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle memory corruption attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:".runtimeStyle",within 100,fast_pattern,nocase; content:".border",within 100,nocase; pcre:"/var\s+?(?P<var>[^\s]+?)\s*?=\s*?document\.createElement\(.*?(?P=var)\.runtimeStyle.*?\.border[^=\x3b]*?=\s*?[^\x3b]*?[\x22\x27](\d+?\s|\s+?\d)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1307; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26641; rev:2; service:http; service:imap; service:pop3; )
00463 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle memory corruption attempt"; flow:to_server,established; file_data; content:"document.createElement(",nocase; content:".runtimeStyle",within 100,fast_pattern,nocase; content:".border",within 100,nocase; pcre:"/var\s+?(?P<var>[^\s]+?)\s*?=\s*?document\.createElement\(.*?(?P=var)\.runtimeStyle.*?\.border[^=\x3b]*?=\s*?[^\x3b]*?[\x22\x27](\d+?\s|\s+?\d)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1307; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26642; rev:2; service:smtp; )
00463 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle memory corruption attempt"; flow:to_server,established; file_data; content:"document.createElement(",nocase; content:".runtimeStyle",within 100,fast_pattern,nocase; content:".border",within 100,nocase; pcre:"/var\s+?(?P<var>[^\s]+?)\s*?=\s*?document\.createElement\(.*?(?P=var)\.runtimeStyle.*?\.border[^=\x3b]*?=\s*?[^\x3b]*?[\x22\x27](\d+?\s|\s+?\d)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1307; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26642; rev:2; service:smtp; )
00464 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer html reload loop attempt"; flow:to_client,established; file_data; content:"onload"; content:"location.reload",within 25; content:"iframe"; pcre:"/onload\s*\x3D\s*[\x22\x27]?location\.reload\s*\x28/smi"; metadata:policy balanced-ips alert,policy security-ips drop,service http; reference:cve,2013-1306; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-037; classtype:misc-activity; sid:26633; rev:4; service:http; )
00464 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer html reload loop attempt"; flow:to_client,established; file_data; content:"onload"; content:"location.reload",within 25; content:"iframe"; pcre:"/onload\s*\x3D\s*[\x22\x27]?location\.reload\s*\x28/smi"; metadata:policy balanced-ips alert,policy security-ips drop,service http; reference:cve,2013-1306; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-037; classtype:misc-activity; sid:26633; rev:4; service:http; )
00465 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_client,established; content:"offsetParent",fast_pattern; content:"null",within 10,nocase; content:"createElement"; content:"datalist",within 20; content:"createElement"; content:"table",within 20; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26668; rev:1; service:http; service:imap; service:pop3; )
00465 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_client,established; content:"offsetParent",fast_pattern; content:"null",within 10,nocase; content:"createElement"; content:"datalist",within 20; content:"createElement"; content:"table",within 20; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26668; rev:1; service:http; service:imap; service:pop3; )
00465 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_client,established; content:"offsetParent",fast_pattern; content:"null",within 10,nocase; content:"createElement"; content:"datalist",within 20; content:"createElement"; content:"table",within 20; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26668; rev:1; service:http; service:imap; service:pop3; )
00465 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_client,established; content:"offsetParent",fast_pattern; content:"null",within 10,nocase; content:"createElement"; content:"datalist",within 20; content:"createElement"; content:"table",within 20; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26668; rev:1; service:http; service:imap; service:pop3; )
00466 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_client,established; file_data; content:"<input type=|22|text|22| style=|22|zoom:10|22|/>"; content:"<body onload=|22|history.go(0)|22|>"; content:"<img style=|22|float:right|22|/>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26753; rev:1; service:http; service:imap; service:pop3; )
00466 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_client,established; file_data; content:"<input type=|22|text|22| style=|22|zoom:10|22|/>"; content:"<body onload=|22|history.go(0)|22|>"; content:"<img style=|22|float:right|22|/>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26753; rev:1; service:http; service:imap; service:pop3; )
00466 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_client,established; file_data; content:"<input type=|22|text|22| style=|22|zoom:10|22|/>"; content:"<body onload=|22|history.go(0)|22|>"; content:"<img style=|22|float:right|22|/>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26753; rev:1; service:http; service:imap; service:pop3; )
00466 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_client,established; file_data; content:"<input type=|22|text|22| style=|22|zoom:10|22|/>"; content:"<body onload=|22|history.go(0)|22|>"; content:"<img style=|22|float:right|22|/>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26753; rev:1; service:http; service:imap; service:pop3; )
00467 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_server,established; file_data; content:"<input type=|22|text|22| style=|22|zoom:10|22|/>"; content:"<body onload=|22|history.go(0)|22|>"; content:"<img style=|22|float:right|22|/>"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26754; rev:1; service:smtp; )
00467 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_server,established; file_data; content:"<input type=|22|text|22| style=|22|zoom:10|22|/>"; content:"<body onload=|22|history.go(0)|22|>"; content:"<img style=|22|float:right|22|/>"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26754; rev:1; service:smtp; )
00468 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE IE9 layout engine memory corruption attempt"; flow:to_client,established; file_data; content:"}catch|28|"; content:"|29|{}try{",within 10; content:"obj,obj,obj,obj,obj"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3122; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26844; rev:1; service:http; )
00468 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE IE9 layout engine memory corruption attempt"; flow:to_client,established; file_data; content:"}catch|28|"; content:"|29|{}try{",within 10; content:"obj,obj,obj,obj,obj"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3122; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26844; rev:1; service:http; )
00469 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 insertImage with designMode on deleted object access attempt"; flow:to_client,established; file_data; content:"window.open",nocase; content:".eval",distance 0; content:"document.designMode",distance 0,fast_pattern,nocase; content:"on",distance 0,nocase; content:"window.getSelection",distance 0,nocase; content:"document.designMode",distance 0,nocase; content:"off",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26845; rev:1; service:http; service:imap; service:pop3; )
00469 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 insertImage with designMode on deleted object access attempt"; flow:to_client,established; file_data; content:"window.open",nocase; content:".eval",distance 0; content:"document.designMode",distance 0,fast_pattern,nocase; content:"on",distance 0,nocase; content:"window.getSelection",distance 0,nocase; content:"document.designMode",distance 0,nocase; content:"off",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26845; rev:1; service:http; service:imap; service:pop3; )
00469 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 insertImage with designMode on deleted object access attempt"; flow:to_client,established; file_data; content:"window.open",nocase; content:".eval",distance 0; content:"document.designMode",distance 0,fast_pattern,nocase; content:"on",distance 0,nocase; content:"window.getSelection",distance 0,nocase; content:"document.designMode",distance 0,nocase; content:"off",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26845; rev:1; service:http; service:imap; service:pop3; )
00469 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 insertImage with designMode on deleted object access attempt"; flow:to_client,established; file_data; content:"window.open",nocase; content:".eval",distance 0; content:"document.designMode",distance 0,fast_pattern,nocase; content:"on",distance 0,nocase; content:"window.getSelection",distance 0,nocase; content:"document.designMode",distance 0,nocase; content:"off",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26845; rev:1; service:http; service:imap; service:pop3; )
00470 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 10 insertImage with designMode on deleted object access attempt"; flow:to_server,established; file_data; content:"window.open",nocase; content:".eval",distance 0; content:"document.designMode",distance 0,nocase; content:"on",distance 0,nocase; content:"window.getSelection",distance 0,nocase; content:"document.designMode",distance 0,nocase; content:"off",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26846; rev:1; service:smtp; )
00470 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 10 insertImage with designMode on deleted object access attempt"; flow:to_server,established; file_data; content:"window.open",nocase; content:".eval",distance 0; content:"document.designMode",distance 0,nocase; content:"on",distance 0,nocase; content:"window.getSelection",distance 0,nocase; content:"document.designMode",distance 0,nocase; content:"off",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26846; rev:1; service:smtp; )
00471 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 use after free attempt"; flow:to_client,established; file_data; content:"for (var i = 0|3B| i < param.childNodes.length|3B| i++)"; content:"document.selection.createRange().pasteHTML('<td>2<nobr>')"; content:"document.selection.createRange().pasteHTML('<td>3')"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3125; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26847; rev:1; service:http; service:imap; service:pop3; )
00471 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 use after free attempt"; flow:to_client,established; file_data; content:"for (var i = 0|3B| i < param.childNodes.length|3B| i++)"; content:"document.selection.createRange().pasteHTML('<td>2<nobr>')"; content:"document.selection.createRange().pasteHTML('<td>3')"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3125; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26847; rev:1; service:http; service:imap; service:pop3; )
00471 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 use after free attempt"; flow:to_client,established; file_data; content:"for (var i = 0|3B| i < param.childNodes.length|3B| i++)"; content:"document.selection.createRange().pasteHTML('<td>2<nobr>')"; content:"document.selection.createRange().pasteHTML('<td>3')"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3125; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26847; rev:1; service:http; service:imap; service:pop3; )
00471 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 use after free attempt"; flow:to_client,established; file_data; content:"for (var i = 0|3B| i < param.childNodes.length|3B| i++)"; content:"document.selection.createRange().pasteHTML('<td>2<nobr>')"; content:"document.selection.createRange().pasteHTML('<td>3')"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3125; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26847; rev:1; service:http; service:imap; service:pop3; )
00472 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE IE5 compatibility mode user after free attempt"; flow:to_client,established; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=5|22|"; content:".runtimeStyle.setExpression"; content:"document.body.innerHTML"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3121; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26851; rev:2; service:http; )
00472 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE IE5 compatibility mode user after free attempt"; flow:to_client,established; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=5|22|"; content:".runtimeStyle.setExpression"; content:"document.body.innerHTML"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3121; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26851; rev:2; service:http; )
00473 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt"; flow:to_client,established; file_data; content:".addRange("; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".createRange()"; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26852; rev:2; service:http; service:imap; service:pop3; )
00473 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt"; flow:to_client,established; file_data; content:".addRange("; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".createRange()"; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26852; rev:2; service:http; service:imap; service:pop3; )
00473 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt"; flow:to_client,established; file_data; content:".addRange("; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".createRange()"; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26852; rev:2; service:http; service:imap; service:pop3; )
00473 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt"; flow:to_client,established; file_data; content:".addRange("; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".createRange()"; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26852; rev:2; service:http; service:imap; service:pop3; )
00474 alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt"; flow:to_server,established; file_data; content:".addRange("; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".createRange()"; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26853; rev:3; service:smtp; )
00474 alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt"; flow:to_server,established; file_data; content:".addRange("; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".createRange()"; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26853; rev:3; service:smtp; )
00475 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt"; flow:to_client,established; file_data; content:"document.body.appendChild(document.createElement('select'))"; content:"document.getElementsByTagName('select')",nocase; content:"parentNode.removeChild(document.getElementsByTagName('select')",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3139; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26867; rev:1; service:http; service:imap; service:pop3; )
00475 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt"; flow:to_client,established; file_data; content:"document.body.appendChild(document.createElement('select'))"; content:"document.getElementsByTagName('select')",nocase; content:"parentNode.removeChild(document.getElementsByTagName('select')",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3139; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26867; rev:1; service:http; service:imap; service:pop3; )
00475 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt"; flow:to_client,established; file_data; content:"document.body.appendChild(document.createElement('select'))"; content:"document.getElementsByTagName('select')",nocase; content:"parentNode.removeChild(document.getElementsByTagName('select')",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3139; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26867; rev:1; service:http; service:imap; service:pop3; )
00475 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt"; flow:to_client,established; file_data; content:"document.body.appendChild(document.createElement('select'))"; content:"document.getElementsByTagName('select')",nocase; content:"parentNode.removeChild(document.getElementsByTagName('select')",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3139; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26867; rev:1; service:http; service:imap; service:pop3; )
00476 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt"; flow:to_server,established; file_data; content:"document.body.appendChild(document.createElement('select'))"; content:"document.getElementsByTagName('select')",nocase; content:"parentNode.removeChild(document.getElementsByTagName('select')",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3139; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26868; rev:1; service:smtp; )
00476 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt"; flow:to_server,established; file_data; content:"document.body.appendChild(document.createElement('select'))"; content:"document.getElementsByTagName('select')",nocase; content:"parentNode.removeChild(document.getElementsByTagName('select')",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3139; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26868; rev:1; service:smtp; )
00477 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagNameNS(",nocase; content:"www.w3.org",within 50,nocase; content:"removeAttributeNS(",nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26869; rev:1; service:http; service:imap; service:pop3; )
00477 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagNameNS(",nocase; content:"www.w3.org",within 50,nocase; content:"removeAttributeNS(",nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26869; rev:1; service:http; service:imap; service:pop3; )
00477 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagNameNS(",nocase; content:"www.w3.org",within 50,nocase; content:"removeAttributeNS(",nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26869; rev:1; service:http; service:imap; service:pop3; )
00477 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagNameNS(",nocase; content:"www.w3.org",within 50,nocase; content:"removeAttributeNS(",nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26869; rev:1; service:http; service:imap; service:pop3; )
00478 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"document.getElementsByTagNameNS(",nocase; content:"www.w3.org",within 50,nocase; content:"removeAttributeNS(",nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26870; rev:1; service:smtp; )
00478 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"document.getElementsByTagNameNS(",nocase; content:"www.w3.org",within 50,nocase; content:"removeAttributeNS(",nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26870; rev:1; service:smtp; )
00479 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"www.w3.org",nocase; content:"document.getElementsByTagNameNS(",within 100,nocase; content:"removeAttributeNS(",within 100,nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26871; rev:1; service:http; service:imap; service:pop3; )
00479 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"www.w3.org",nocase; content:"document.getElementsByTagNameNS(",within 100,nocase; content:"removeAttributeNS(",within 100,nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26871; rev:1; service:http; service:imap; service:pop3; )
00479 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"www.w3.org",nocase; content:"document.getElementsByTagNameNS(",within 100,nocase; content:"removeAttributeNS(",within 100,nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26871; rev:1; service:http; service:imap; service:pop3; )
00479 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"www.w3.org",nocase; content:"document.getElementsByTagNameNS(",within 100,nocase; content:"removeAttributeNS(",within 100,nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26871; rev:1; service:http; service:imap; service:pop3; )
00480 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"www.w3.org",nocase; content:"document.getElementsByTagNameNS(",within 100,nocase; content:"removeAttributeNS(",within 100,nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26872; rev:1; service:smtp; )
00480 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"www.w3.org",nocase; content:"document.getElementsByTagNameNS(",within 100,nocase; content:"removeAttributeNS(",within 100,nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26872; rev:1; service:smtp; )
00481 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|link|22|)[0].href"; content:"document.createStyleSheet",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26873; rev:1; service:http; service:imap; service:pop3; )
00481 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|link|22|)[0].href"; content:"document.createStyleSheet",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26873; rev:1; service:http; service:imap; service:pop3; )
00481 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|link|22|)[0].href"; content:"document.createStyleSheet",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26873; rev:1; service:http; service:imap; service:pop3; )
00481 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|link|22|)[0].href"; content:"document.createStyleSheet",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26873; rev:1; service:http; service:imap; service:pop3; )
00482 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt"; flow:to_server,established; file_data; content:"document.getElementsByTagName(|22|link|22|)[0].href"; content:"document.createStyleSheet",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26874; rev:1; service:smtp; )
00482 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt"; flow:to_server,established; file_data; content:"document.getElementsByTagName(|22|link|22|)[0].href"; content:"document.createStyleSheet",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26874; rev:1; service:smtp; )
00483 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt"; flow:to_client,established; file_data; content:"div1.removeEventListener( |27|DOMNodeRemoved|27|, callback, true )"; content:"addEventListener"; content:"DOMNodeRemoved",within 40; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3119; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26875; rev:1; service:http; service:imap; service:pop3; )
00483 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt"; flow:to_client,established; file_data; content:"div1.removeEventListener( |27|DOMNodeRemoved|27|, callback, true )"; content:"addEventListener"; content:"DOMNodeRemoved",within 40; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3119; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26875; rev:1; service:http; service:imap; service:pop3; )
00483 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt"; flow:to_client,established; file_data; content:"div1.removeEventListener( |27|DOMNodeRemoved|27|, callback, true )"; content:"addEventListener"; content:"DOMNodeRemoved",within 40; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3119; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26875; rev:1; service:http; service:imap; service:pop3; )
00483 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt"; flow:to_client,established; file_data; content:"div1.removeEventListener( |27|DOMNodeRemoved|27|, callback, true )"; content:"addEventListener"; content:"DOMNodeRemoved",within 40; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3119; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26875; rev:1; service:http; service:imap; service:pop3; )
00484 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 cached display node use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|input|22|)[0].focus()"; content:"document.getElementsByTagName(|22|input|22|)[0].applyElement(a)"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3116; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26876; rev:1; service:http; service:imap; service:pop3; )
00484 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 cached display node use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|input|22|)[0].focus()"; content:"document.getElementsByTagName(|22|input|22|)[0].applyElement(a)"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3116; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26876; rev:1; service:http; service:imap; service:pop3; )
00484 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 cached display node use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|input|22|)[0].focus()"; content:"document.getElementsByTagName(|22|input|22|)[0].applyElement(a)"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3116; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26876; rev:1; service:http; service:imap; service:pop3; )
00484 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 cached display node use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|input|22|)[0].focus()"; content:"document.getElementsByTagName(|22|input|22|)[0].applyElement(a)"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3116; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26876; rev:1; service:http; service:imap; service:pop3; )
00485 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 tree element use after free attempt"; flow:to_client,established; file_data; content:"document.getElementById",nocase; content:"appendChild",within 50,nocase; content:"ClientRects",within 50,fast_pattern,nocase; content:"p id",distance 0; content:"p id",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26878; rev:2; service:http; )
00485 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 tree element use after free attempt"; flow:to_client,established; file_data; content:"document.getElementById",nocase; content:"appendChild",within 50,nocase; content:"ClientRects",within 50,fast_pattern,nocase; content:"p id",distance 0; content:"p id",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26878; rev:2; service:http; )
00486 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"history.go(0)"; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?history\.go\(\s*0\s*\).*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26883; rev:2; service:http; service:imap; service:pop3; )
00486 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"history.go(0)"; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?history\.go\(\s*0\s*\).*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26883; rev:2; service:http; service:imap; service:pop3; )
00486 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"history.go(0)"; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?history\.go\(\s*0\s*\).*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26883; rev:2; service:http; service:imap; service:pop3; )
00486 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"history.go(0)"; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?history\.go\(\s*0\s*\).*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26883; rev:2; service:http; service:imap; service:pop3; )
00487 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"location.reload("; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?location\.reload\(.*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26884; rev:2; service:http; service:imap; service:pop3; )
00487 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"location.reload("; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?location\.reload\(.*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26884; rev:2; service:http; service:imap; service:pop3; )
00487 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"location.reload("; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?location\.reload\(.*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26884; rev:2; service:http; service:imap; service:pop3; )
00487 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"location.reload("; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?location\.reload\(.*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26884; rev:2; service:http; service:imap; service:pop3; )
00488 alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_server,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"history.go(0)"; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?history\.go\(\s*0\s*\).*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26886; rev:3; service:smtp; )
00488 alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_server,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"history.go(0)"; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?history\.go\(\s*0\s*\).*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26886; rev:3; service:smtp; )
00489 alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_server,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"location.reload("; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?location\.reload\(.*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26887; rev:3; service:smtp; )
00489 alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_server,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"location.reload("; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?location\.reload\(.*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26887; rev:3; service:smtp; )
00490 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_client,established; file_data; content:"jquery"; content:"document.createElement",nocase; content:".document.body.appendChild(",within 100,nocase; content:".replaceAll(",within 150,nocase; pcre:"/css\s*?\x28\s*?[\x22\x27]margin[^\x29]*?[\x22\x27]\s*?\x2c\s*?[\x22\x27]\d{12,}\s*?px/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26888; rev:1; service:http; service:imap; service:pop3; )
00490 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_client,established; file_data; content:"jquery"; content:"document.createElement",nocase; content:".document.body.appendChild(",within 100,nocase; content:".replaceAll(",within 150,nocase; pcre:"/css\s*?\x28\s*?[\x22\x27]margin[^\x29]*?[\x22\x27]\s*?\x2c\s*?[\x22\x27]\d{12,}\s*?px/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26888; rev:1; service:http; service:imap; service:pop3; )
00490 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_client,established; file_data; content:"jquery"; content:"document.createElement",nocase; content:".document.body.appendChild(",within 100,nocase; content:".replaceAll(",within 150,nocase; pcre:"/css\s*?\x28\s*?[\x22\x27]margin[^\x29]*?[\x22\x27]\s*?\x2c\s*?[\x22\x27]\d{12,}\s*?px/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26888; rev:1; service:http; service:imap; service:pop3; )
00490 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_client,established; file_data; content:"jquery"; content:"document.createElement",nocase; content:".document.body.appendChild(",within 100,nocase; content:".replaceAll(",within 150,nocase; pcre:"/css\s*?\x28\s*?[\x22\x27]margin[^\x29]*?[\x22\x27]\s*?\x2c\s*?[\x22\x27]\d{12,}\s*?px/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26888; rev:1; service:http; service:imap; service:pop3; )
00491 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_server,established; file_data; content:"jquery"; content:"document.createElement",nocase; content:".document.body.appendChild",within 100,nocase; content:".replaceAll",within 150,nocase; pcre:"/css\s*?\x28\s*?[\x22\x27]margin[^\x29]*?[\x22\x27]\s*?\x2c\s*?[\x22\x27]\d{12,}\s*?px/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26889; rev:1; service:smtp; )
00491 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_server,established; file_data; content:"jquery"; content:"document.createElement",nocase; content:".document.body.appendChild",within 100,nocase; content:".replaceAll",within 150,nocase; pcre:"/css\s*?\x28\s*?[\x22\x27]margin[^\x29]*?[\x22\x27]\s*?\x2c\s*?[\x22\x27]\d{12,}\s*?px/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26889; rev:1; service:smtp; )
00492 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDocument use after free attempt"; flow:to_client,established; file_data; content:"CollectGarbage()"; content:".createElement",nocase; content:"xml",within 10,nocase; content:".setAttributeNode",within 100,nocase; content:".XMLDocument",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3114; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26890; rev:1; service:http; )
00492 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDocument use after free attempt"; flow:to_client,established; file_data; content:"CollectGarbage()"; content:".createElement",nocase; content:"xml",within 10,nocase; content:".setAttributeNode",within 100,nocase; content:".XMLDocument",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3114; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26890; rev:1; service:http; )
00493 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".exe."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE [56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:bad-unknown; sid:26935; rev:2; service:http; )
00493 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".exe."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE [56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:bad-unknown; sid:26935; rev:2; service:http; )
00494 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".html."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE[56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:bad-unknown; sid:26936; rev:2; service:http; )
00494 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".html."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE[56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:bad-unknown; sid:26936; rev:2; service:http; )
00495 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".bat."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE [56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:bad-unknown; sid:26937; rev:2; service:http; )
00495 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-IE Microsoft Internet Explorer image download spoofing attempt"; flow:to_server,established; http_uri; content:".bat."; http_header; content:"MSIE "; pcre:"/^User-Agent:[^\n]*?MSIE [56]/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:bad-unknown; sid:26937; rev:2; service:http; )
00496 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt"; flow:to_client,established; file_data; content:"ele1.addEventListener( |27|DOMNodeRemoved|27|, eHandler, false )"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3119; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26988; rev:1; service:http; service:imap; service:pop3; )
00496 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt"; flow:to_client,established; file_data; content:"ele1.addEventListener( |27|DOMNodeRemoved|27|, eHandler, false )"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3119; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26988; rev:1; service:http; service:imap; service:pop3; )
00496 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt"; flow:to_client,established; file_data; content:"ele1.addEventListener( |27|DOMNodeRemoved|27|, eHandler, false )"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3119; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26988; rev:1; service:http; service:imap; service:pop3; )
00496 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt"; flow:to_client,established; file_data; content:"ele1.addEventListener( |27|DOMNodeRemoved|27|, eHandler, false )"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3119; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26988; rev:1; service:http; service:imap; service:pop3; )
00497 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_client,established; file_data; content:".innerHTML",nocase; content:"document.body.appendChild|28|",distance 0; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|",distance 0,nocase; content:"onload='setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:27061; rev:1; service:http; service:imap; service:pop3; )
00497 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_client,established; file_data; content:".innerHTML",nocase; content:"document.body.appendChild|28|",distance 0; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|",distance 0,nocase; content:"onload='setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:27061; rev:1; service:http; service:imap; service:pop3; )
00497 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_client,established; file_data; content:".innerHTML",nocase; content:"document.body.appendChild|28|",distance 0; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|",distance 0,nocase; content:"onload='setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:27061; rev:1; service:http; service:imap; service:pop3; )
00497 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_client,established; file_data; content:".innerHTML",nocase; content:"document.body.appendChild|28|",distance 0; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|",distance 0,nocase; content:"onload='setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:27061; rev:1; service:http; service:imap; service:pop3; )
00498 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_server,established; file_data; content:".innerHTML",nocase; content:"document.body.appendChild|28|",distance 0; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|",distance 0,nocase; content:"onload='setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:27062; rev:1; service:smtp; )
00498 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_server,established; file_data; content:".innerHTML",nocase; content:"document.body.appendChild|28|",distance 0; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|",distance 0,nocase; content:"onload='setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:27062; rev:1; service:smtp; )
00499 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"<rect id=",nocase; content:"clip-path=|22 22|/>",within 25,nocase; content:".removeAttributeNS(|22 22|,|22|clip-path|22 29 3B|",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:27100; rev:1; service:http; service:imap; service:pop3; )
00499 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"<rect id=",nocase; content:"clip-path=|22 22|/>",within 25,nocase; content:".removeAttributeNS(|22 22|,|22|clip-path|22 29 3B|",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:27100; rev:1; service:http; service:imap; service:pop3; )
00499 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"<rect id=",nocase; content:"clip-path=|22 22|/>",within 25,nocase; content:".removeAttributeNS(|22 22|,|22|clip-path|22 29 3B|",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:27100; rev:1; service:http; service:imap; service:pop3; )
00499 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"<rect id=",nocase; content:"clip-path=|22 22|/>",within 25,nocase; content:".removeAttributeNS(|22 22|,|22|clip-path|22 29 3B|",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:27100; rev:1; service:http; service:imap; service:pop3; )
00500 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"<rect id=",nocase; content:"clip-path=|22 22|/>",within 25,nocase; content:".removeAttributeNS(|22 22|,|22|clip-path|22 29 3B|",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:27101; rev:1; service:smtp; )
00500 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_server,established; file_data; content:"<rect id=",nocase; content:"clip-path=|22 22|/>",within 25,nocase; content:".removeAttributeNS(|22 22|,|22|clip-path|22 29 3B|",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:27101; rev:1; service:smtp; )
00501 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer setCapture use after free attempt"; flow:to_client,established; file_data; content:".getElementById(",nocase; content:".setCapture(",within 50,fast_pattern,nocase; content:".getElementById(",within 50,nocase; content:".setCapture(",within 50,nocase; content:".getElementById(",within 50,nocase; content:".setCapture(",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3150; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27126; rev:2; service:http; )
00501 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer setCapture use after free attempt"; flow:to_client,established; file_data; content:".getElementById(",nocase; content:".setCapture(",within 50,fast_pattern,nocase; content:".getElementById(",within 50,nocase; content:".setCapture(",within 50,nocase; content:".getElementById(",within 50,nocase; content:".setCapture(",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3150; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27126; rev:2; service:http; )
00502 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt"; flow:to_client,established; file_data; content:"addEventListener",nocase; content:"DOMNodeRemoved",within 50,nocase; content:"document.write",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3143; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27127; rev:1; service:http; service:imap; service:pop3; )
00502 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt"; flow:to_client,established; file_data; content:"addEventListener",nocase; content:"DOMNodeRemoved",within 50,nocase; content:"document.write",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3143; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27127; rev:1; service:http; service:imap; service:pop3; )
00502 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt"; flow:to_client,established; file_data; content:"addEventListener",nocase; content:"DOMNodeRemoved",within 50,nocase; content:"document.write",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3143; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27127; rev:1; service:http; service:imap; service:pop3; )
00502 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt"; flow:to_client,established; file_data; content:"addEventListener",nocase; content:"DOMNodeRemoved",within 50,nocase; content:"document.write",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3143; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27127; rev:1; service:http; service:imap; service:pop3; )
00503 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt"; flow:to_server,established; file_data; content:"addEventListener",nocase; content:"DOMNodeRemoved",within 50,nocase; content:"document.write",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3143; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27128; rev:1; service:smtp; )
00503 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt"; flow:to_server,established; file_data; content:"addEventListener",nocase; content:"DOMNodeRemoved",within 50,nocase; content:"document.write",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3143; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27128; rev:1; service:smtp; )
00504 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 use after free attempt"; flow:to_client,established; file_data; content:"onbeforecopy=|27|document.write(|22 22|)|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27129; rev:1; service:http; service:imap; service:pop3; )
00504 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 use after free attempt"; flow:to_client,established; file_data; content:"onbeforecopy=|27|document.write(|22 22|)|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27129; rev:1; service:http; service:imap; service:pop3; )
00504 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 use after free attempt"; flow:to_client,established; file_data; content:"onbeforecopy=|27|document.write(|22 22|)|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27129; rev:1; service:http; service:imap; service:pop3; )
00504 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 use after free attempt"; flow:to_client,established; file_data; content:"onbeforecopy=|27|document.write(|22 22|)|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27129; rev:1; service:http; service:imap; service:pop3; )
00505 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 use after free attempt"; flow:to_server,established; file_data; content:"onbeforecopy=|27|document.write(|22 22|)|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27130; rev:1; service:smtp; )
00505 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer 9 use after free attempt"; flow:to_server,established; file_data; content:"onbeforecopy=|27|document.write(|22 22|)|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27130; rev:1; service:smtp; )
00506 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 CTreePos use after free attempt"; flow:to_client,established; file_data; content:"appendChild(document.createElement('q'))|3B|document.body.appendChild(document.createElement('q'))|3B|document.body.appendChild(document.createElement('progress'))|3B|document.getElementsByTagName"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3151; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27131; rev:1; service:http; )
00506 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 CTreePos use after free attempt"; flow:to_client,established; file_data; content:"appendChild(document.createElement('q'))|3B|document.body.appendChild(document.createElement('q'))|3B|document.body.appendChild(document.createElement('progress'))|3B|document.getElementsByTagName"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3151; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27131; rev:1; service:http; )
00507 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer PreviousTreePos use after free attempt"; flow:to_client,established; file_data; content:".onpropertychange"; content:".swapNode|28|",within 64; pcre:"/\.onpropertychange\s*=\s*function[^{]*?\{[^}]*?\w+\.swapNode\x28/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3153; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27132; rev:1; service:http; service:imap; service:pop3; )
00507 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer PreviousTreePos use after free attempt"; flow:to_client,established; file_data; content:".onpropertychange"; content:".swapNode|28|",within 64; pcre:"/\.onpropertychange\s*=\s*function[^{]*?\{[^}]*?\w+\.swapNode\x28/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3153; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27132; rev:1; service:http; service:imap; service:pop3; )
00507 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer PreviousTreePos use after free attempt"; flow:to_client,established; file_data; content:".onpropertychange"; content:".swapNode|28|",within 64; pcre:"/\.onpropertychange\s*=\s*function[^{]*?\{[^}]*?\w+\.swapNode\x28/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3153; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27132; rev:1; service:http; service:imap; service:pop3; )
00507 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer PreviousTreePos use after free attempt"; flow:to_client,established; file_data; content:".onpropertychange"; content:".swapNode|28|",within 64; pcre:"/\.onpropertychange\s*=\s*function[^{]*?\{[^}]*?\w+\.swapNode\x28/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3153; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27132; rev:1; service:http; service:imap; service:pop3; )
00508 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer display node use after free attempt"; flow:to_client,established; file_data; content:"getElementsByTagName|28|"; content:"input",within 8; content:".height",distance 0; content:".focus|28 29|",distance 0; content:"document.body.noWrap",distance 0; content:".disabled",distance 0; pcre:"/(?P<var>\w+)\s*=\s*[\w.]+\.getElementsByTagName\(\s*[\x22\x27]input[\x22\x27]\s*\)(\[\s*0\s*]|\.first)\s*\x3b.{0,256}(?P=var)\.height\s*=\s*0\s*\x3b.{0,512}(?P=var)\.disabled\s*=\s*true/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27133; rev:1; service:http; service:imap; service:pop3; )
00508 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer display node use after free attempt"; flow:to_client,established; file_data; content:"getElementsByTagName|28|"; content:"input",within 8; content:".height",distance 0; content:".focus|28 29|",distance 0; content:"document.body.noWrap",distance 0; content:".disabled",distance 0; pcre:"/(?P<var>\w+)\s*=\s*[\w.]+\.getElementsByTagName\(\s*[\x22\x27]input[\x22\x27]\s*\)(\[\s*0\s*]|\.first)\s*\x3b.{0,256}(?P=var)\.height\s*=\s*0\s*\x3b.{0,512}(?P=var)\.disabled\s*=\s*true/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27133; rev:1; service:http; service:imap; service:pop3; )
00508 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer display node use after free attempt"; flow:to_client,established; file_data; content:"getElementsByTagName|28|"; content:"input",within 8; content:".height",distance 0; content:".focus|28 29|",distance 0; content:"document.body.noWrap",distance 0; content:".disabled",distance 0; pcre:"/(?P<var>\w+)\s*=\s*[\w.]+\.getElementsByTagName\(\s*[\x22\x27]input[\x22\x27]\s*\)(\[\s*0\s*]|\.first)\s*\x3b.{0,256}(?P=var)\.height\s*=\s*0\s*\x3b.{0,512}(?P=var)\.disabled\s*=\s*true/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27133; rev:1; service:http; service:imap; service:pop3; )
00508 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer display node use after free attempt"; flow:to_client,established; file_data; content:"getElementsByTagName|28|"; content:"input",within 8; content:".height",distance 0; content:".focus|28 29|",distance 0; content:"document.body.noWrap",distance 0; content:".disabled",distance 0; pcre:"/(?P<var>\w+)\s*=\s*[\w.]+\.getElementsByTagName\(\s*[\x22\x27]input[\x22\x27]\s*\)(\[\s*0\s*]|\.first)\s*\x3b.{0,256}(?P=var)\.height\s*=\s*0\s*\x3b.{0,512}(?P=var)\.disabled\s*=\s*true/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27133; rev:1; service:http; service:imap; service:pop3; )
00509 alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer display node use after free attempt"; flow:to_server,established; file_data; content:"getElementsByTagName|28|"; content:"input",within 8; content:".height",distance 0; content:".focus|28 29|",distance 0; content:"document.body.noWrap",distance 0; content:".disabled",distance 0; pcre:"/(?P<var>\w+)\s*=\s*[\w.]+\.getElementsByTagName\(\s*[\x22\x27]input[\x22\x27]\s*\)(\[\s*0\s*]|\.first)\s*\x3b.{0,256}(?P=var)\.height\s*=\s*0\s*\x3b.{0,512}(?P=var)\.disabled\s*=\s*true/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27134; rev:2; service:smtp; )
00509 alert tcp any any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer display node use after free attempt"; flow:to_server,established; file_data; content:"getElementsByTagName|28|"; content:"input",within 8; content:".height",distance 0; content:".focus|28 29|",distance 0; content:"document.body.noWrap",distance 0; content:".disabled",distance 0; pcre:"/(?P<var>\w+)\s*=\s*[\w.]+\.getElementsByTagName\(\s*[\x22\x27]input[\x22\x27]\s*\)(\[\s*0\s*]|\.first)\s*\x3b.{0,256}(?P=var)\.height\s*=\s*0\s*\x3b.{0,512}(?P=var)\.disabled\s*=\s*true/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27134; rev:2; service:smtp; )
00510 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use after free attempt"; flow:to_client,established; file_data; content:"createTHead"; content:"insertAdjacentHTML"; content:"scrollIntoView"; content:"insertRow"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3152; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27135; rev:1; service:http; )
00510 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use after free attempt"; flow:to_client,established; file_data; content:"createTHead"; content:"insertAdjacentHTML"; content:"scrollIntoView"; content:"insertRow"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3152; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27135; rev:1; service:http; )
00511 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_client,established; file_data; content:"document.body.innerHTML",nocase; content:"document.styleSheets[0].cssText",within 250,nocase; content:"document.body.innerHTML",within 250,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3164; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27137; rev:4; service:http; service:imap; service:pop3; )
00511 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_client,established; file_data; content:"document.body.innerHTML",nocase; content:"document.styleSheets[0].cssText",within 250,nocase; content:"document.body.innerHTML",within 250,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3164; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27137; rev:4; service:http; service:imap; service:pop3; )
00511 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_client,established; file_data; content:"document.body.innerHTML",nocase; content:"document.styleSheets[0].cssText",within 250,nocase; content:"document.body.innerHTML",within 250,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3164; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27137; rev:4; service:http; service:imap; service:pop3; )
00511 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_client,established; file_data; content:"document.body.innerHTML",nocase; content:"document.styleSheets[0].cssText",within 250,nocase; content:"document.body.innerHTML",within 250,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3164; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27137; rev:4; service:http; service:imap; service:pop3; )
00512 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_server,established; file_data; content:"document.body.innerHTML",nocase; content:"document.styleSheets[0].cssText",within 250,nocase; content:"document.body.innerHTML",within 250,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3164; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27138; rev:4; service:smtp; )
00512 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_server,established; file_data; content:"document.body.innerHTML",nocase; content:"document.styleSheets[0].cssText",within 250,nocase; content:"document.body.innerHTML",within 250,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3164; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27138; rev:4; service:smtp; )
00513 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 IE5 compatibility mode use after free attempt"; flow:established,to_client; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=5|22|"; content:"event.srcElement.parentNode.removeChild|28|"; content:"document.body.appendChild|28|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3144; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-admin; sid:27147; rev:1; service:http; )
00513 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 IE5 compatibility mode use after free attempt"; flow:established,to_client; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=5|22|"; content:"event.srcElement.parentNode.removeChild|28|"; content:"document.body.appendChild|28|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3144; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-admin; sid:27147; rev:1; service:http; )
00514 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer versions 6-9 deleted object access attempt"; flow:to_client,established; file_data; content:"function",nocase; content:"document.write",within 25,nocase; content:"onbeforeeditfocus=",within 100,nocase; content:"<input",within 25,nocase; content:"</input>",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27148; rev:1; service:http; service:imap; service:pop3; )
00514 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer versions 6-9 deleted object access attempt"; flow:to_client,established; file_data; content:"function",nocase; content:"document.write",within 25,nocase; content:"onbeforeeditfocus=",within 100,nocase; content:"<input",within 25,nocase; content:"</input>",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27148; rev:1; service:http; service:imap; service:pop3; )
00514 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer versions 6-9 deleted object access attempt"; flow:to_client,established; file_data; content:"function",nocase; content:"document.write",within 25,nocase; content:"onbeforeeditfocus=",within 100,nocase; content:"<input",within 25,nocase; content:"</input>",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27148; rev:1; service:http; service:imap; service:pop3; )
00514 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer versions 6-9 deleted object access attempt"; flow:to_client,established; file_data; content:"function",nocase; content:"document.write",within 25,nocase; content:"onbeforeeditfocus=",within 100,nocase; content:"<input",within 25,nocase; content:"</input>",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27148; rev:1; service:http; service:imap; service:pop3; )
00515 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer versions 6-9 deleted object access attempt"; flow:to_server,established; file_data; content:"function",nocase; content:"document.write",within 25,nocase; content:"onbeforeeditfocus=",within 100,nocase; content:"<input",within 25,nocase; content:"</input>",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27149; rev:1; service:smtp; )
00515 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer versions 6-9 deleted object access attempt"; flow:to_server,established; file_data; content:"function",nocase; content:"document.write",within 25,nocase; content:"onbeforeeditfocus=",within 100,nocase; content:"<input",within 25,nocase; content:"</input>",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27149; rev:1; service:smtp; )
00516 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"myObj[0].offset"; content:"document.execCommand(",nocase; content:"SelectAll",within 9,distance 1,nocase; content:"document.getElementsByName(",within 100,nocase; content:"document.execCommand(|22|Justify",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27150; rev:1; service:http; service:imap; service:pop3; )
00516 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"myObj[0].offset"; content:"document.execCommand(",nocase; content:"SelectAll",within 9,distance 1,nocase; content:"document.getElementsByName(",within 100,nocase; content:"document.execCommand(|22|Justify",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27150; rev:1; service:http; service:imap; service:pop3; )
00516 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"myObj[0].offset"; content:"document.execCommand(",nocase; content:"SelectAll",within 9,distance 1,nocase; content:"document.getElementsByName(",within 100,nocase; content:"document.execCommand(|22|Justify",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27150; rev:1; service:http; service:imap; service:pop3; )
00516 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"myObj[0].offset"; content:"document.execCommand(",nocase; content:"SelectAll",within 9,distance 1,nocase; content:"document.getElementsByName(",within 100,nocase; content:"document.execCommand(|22|Justify",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27150; rev:1; service:http; service:imap; service:pop3; )
00517 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"myObj[0].offset"; content:"document.getElementsByName(",nocase; content:"document.execCommand(|22|Justify",within 200,nocase; content:"document.execCommand(",within 100,nocase; content:"SelectAll",within 9,distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27151; rev:1; service:http; service:imap; service:pop3; )
00517 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"myObj[0].offset"; content:"document.getElementsByName(",nocase; content:"document.execCommand(|22|Justify",within 200,nocase; content:"document.execCommand(",within 100,nocase; content:"SelectAll",within 9,distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27151; rev:1; service:http; service:imap; service:pop3; )
00517 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"myObj[0].offset"; content:"document.getElementsByName(",nocase; content:"document.execCommand(|22|Justify",within 200,nocase; content:"document.execCommand(",within 100,nocase; content:"SelectAll",within 9,distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27151; rev:1; service:http; service:imap; service:pop3; )
00517 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"myObj[0].offset"; content:"document.getElementsByName(",nocase; content:"document.execCommand(|22|Justify",within 200,nocase; content:"document.execCommand(",within 100,nocase; content:"SelectAll",within 9,distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27151; rev:1; service:http; service:imap; service:pop3; )
00518 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"myObj[0].offset"; content:"document.execCommand(",nocase; content:"SelectAll",within 9,distance 1,nocase; content:"document.getElementsByName(",within 100,nocase; content:"document.execCommand(|22|Justify",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27152; rev:1; service:smtp; )
00518 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"myObj[0].offset"; content:"document.execCommand(",nocase; content:"SelectAll",within 9,distance 1,nocase; content:"document.getElementsByName(",within 100,nocase; content:"document.execCommand(|22|Justify",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27152; rev:1; service:smtp; )
00519 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"myObj[0].offset"; content:"document.getElementsByName(",nocase; content:"document.execCommand(|22|Justify",within 200,nocase; content:"document.execCommand(",within 100,nocase; content:"SelectAll",within 9,distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27153; rev:1; service:smtp; )
00519 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"myObj[0].offset"; content:"document.getElementsByName(",nocase; content:"document.execCommand(|22|Justify",within 200,nocase; content:"document.execCommand(",within 100,nocase; content:"SelectAll",within 9,distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27153; rev:1; service:smtp; )
00520 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer pElement member use after free attempt"; flow:to_client,established; file_data; content:".removeChild(document.getElementsByTagName(",nocase; content:"bdo",within 10,nocase; content:"CollectGarbage()",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3145; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27154; rev:1; service:http; )
00520 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer pElement member use after free attempt"; flow:to_client,established; file_data; content:".removeChild(document.getElementsByTagName(",nocase; content:"bdo",within 10,nocase; content:"CollectGarbage()",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3145; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27154; rev:1; service:http; )
00521 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt"; flow:to_client,established; file_data; content:"<table",nocase; content:"<td",distance 0; content:".getElementsByTagName("; content:"column-count",distance 0; pcre:"/var\s*(?P<var>\w+)\s*=\s*\w+\.getElementsByTagName\(\s*[\x22\x27]td[\x22\x27]\s*\)\.item(\(\s*0\s*\)|\.first)\s*\x3b.*?(?P=var)\.style\.(column-count\s*=|setAttribute\s*\(\s*[\x22\x27]column-count[\x22\x27]\s*,)\s*[\x22\x27]?(0x)?[a-f\d]{8}/msi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3146; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27156; rev:1; service:http; service:imap; service:pop3; )
00521 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt"; flow:to_client,established; file_data; content:"<table",nocase; content:"<td",distance 0; content:".getElementsByTagName("; content:"column-count",distance 0; pcre:"/var\s*(?P<var>\w+)\s*=\s*\w+\.getElementsByTagName\(\s*[\x22\x27]td[\x22\x27]\s*\)\.item(\(\s*0\s*\)|\.first)\s*\x3b.*?(?P=var)\.style\.(column-count\s*=|setAttribute\s*\(\s*[\x22\x27]column-count[\x22\x27]\s*,)\s*[\x22\x27]?(0x)?[a-f\d]{8}/msi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3146; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27156; rev:1; service:http; service:imap; service:pop3; )
00521 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt"; flow:to_client,established; file_data; content:"<table",nocase; content:"<td",distance 0; content:".getElementsByTagName("; content:"column-count",distance 0; pcre:"/var\s*(?P<var>\w+)\s*=\s*\w+\.getElementsByTagName\(\s*[\x22\x27]td[\x22\x27]\s*\)\.item(\(\s*0\s*\)|\.first)\s*\x3b.*?(?P=var)\.style\.(column-count\s*=|setAttribute\s*\(\s*[\x22\x27]column-count[\x22\x27]\s*,)\s*[\x22\x27]?(0x)?[a-f\d]{8}/msi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3146; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27156; rev:1; service:http; service:imap; service:pop3; )
00521 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt"; flow:to_client,established; file_data; content:"<table",nocase; content:"<td",distance 0; content:".getElementsByTagName("; content:"column-count",distance 0; pcre:"/var\s*(?P<var>\w+)\s*=\s*\w+\.getElementsByTagName\(\s*[\x22\x27]td[\x22\x27]\s*\)\.item(\(\s*0\s*\)|\.first)\s*\x3b.*?(?P=var)\.style\.(column-count\s*=|setAttribute\s*\(\s*[\x22\x27]column-count[\x22\x27]\s*,)\s*[\x22\x27]?(0x)?[a-f\d]{8}/msi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3146; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27156; rev:1; service:http; service:imap; service:pop3; )
00522 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt"; flow:to_server,established; file_data; content:"<table",nocase; content:"<td",distance 0; content:".getElementsByTagName("; content:"column-count",distance 0; pcre:"/var\s*(?P<var>\w+)\s*=\s*\w+\.getElementsByTagName\(\s*[\x22\x27]td[\x22\x27]\s*\)\.item(\(\s*0\s*\)|\.first)\s*\x3b.*?(?P=var)\.style\.(column-count\s*=|setAttribute\s*\(\s*[\x22\x27]column-count[\x22\x27]\s*,)\s*[\x22\x27]?(0x)?[a-f\d]{8}/msi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3146; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27157; rev:2; service:smtp; )
00522 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt"; flow:to_server,established; file_data; content:"<table",nocase; content:"<td",distance 0; content:".getElementsByTagName("; content:"column-count",distance 0; pcre:"/var\s*(?P<var>\w+)\s*=\s*\w+\.getElementsByTagName\(\s*[\x22\x27]td[\x22\x27]\s*\)\.item(\(\s*0\s*\)|\.first)\s*\x3b.*?(?P=var)\.style\.(column-count\s*=|setAttribute\s*\(\s*[\x22\x27]column-count[\x22\x27]\s*,)\s*[\x22\x27]?(0x)?[a-f\d]{8}/msi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3146; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27157; rev:2; service:smtp; )
00523 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:"document.body.appendChild(",within 100,nocase; content:"applyElement(",within 100,fast_pattern,nocase; content:"innerHTML",within 100,nocase; pcre:"/var\s*?(?P<badelement>\w+)\s*?=\s*?document\.createElement.*?document\.body\.appendChild[\x28]\s*?(?P=badelement)\s*?[\x29].*?applyElement[\x28]\s*?(?P=badelement)\s*?[\x29].*?innerHTML\s*?=\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27171; rev:1; service:http; service:imap; service:pop3; )
00523 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:"document.body.appendChild(",within 100,nocase; content:"applyElement(",within 100,fast_pattern,nocase; content:"innerHTML",within 100,nocase; pcre:"/var\s*?(?P<badelement>\w+)\s*?=\s*?document\.createElement.*?document\.body\.appendChild[\x28]\s*?(?P=badelement)\s*?[\x29].*?applyElement[\x28]\s*?(?P=badelement)\s*?[\x29].*?innerHTML\s*?=\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27171; rev:1; service:http; service:imap; service:pop3; )
00523 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:"document.body.appendChild(",within 100,nocase; content:"applyElement(",within 100,fast_pattern,nocase; content:"innerHTML",within 100,nocase; pcre:"/var\s*?(?P<badelement>\w+)\s*?=\s*?document\.createElement.*?document\.body\.appendChild[\x28]\s*?(?P=badelement)\s*?[\x29].*?applyElement[\x28]\s*?(?P=badelement)\s*?[\x29].*?innerHTML\s*?=\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27171; rev:1; service:http; service:imap; service:pop3; )
00523 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:"document.body.appendChild(",within 100,nocase; content:"applyElement(",within 100,fast_pattern,nocase; content:"innerHTML",within 100,nocase; pcre:"/var\s*?(?P<badelement>\w+)\s*?=\s*?document\.createElement.*?document\.body\.appendChild[\x28]\s*?(?P=badelement)\s*?[\x29].*?applyElement[\x28]\s*?(?P=badelement)\s*?[\x29].*?innerHTML\s*?=\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27171; rev:1; service:http; service:imap; service:pop3; )
00524 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"document.createElement(",nocase; content:"document.body.appendChild(",within 100,nocase; content:"applyElement(",within 100,fast_pattern,nocase; content:"innerHTML",within 100,nocase; pcre:"/var\s*?(?P<badelement>\w+)\s*?=\s*?document\.createElement.*?document\.body\.appendChild[\x28]\s*?(?P=badelement)\s*?[\x29].*?applyElement[\x28]\s*?(?P=badelement)\s*?[\x29].*?innerHTML\s*?=\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27172; rev:1; service:smtp; )
00524 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_server,established; file_data; content:"document.createElement(",nocase; content:"document.body.appendChild(",within 100,nocase; content:"applyElement(",within 100,fast_pattern,nocase; content:"innerHTML",within 100,nocase; pcre:"/var\s*?(?P<badelement>\w+)\s*?=\s*?document\.createElement.*?document\.body\.appendChild[\x28]\s*?(?P=badelement)\s*?[\x29].*?applyElement[\x28]\s*?(?P=badelement)\s*?[\x29].*?innerHTML\s*?=\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27172; rev:1; service:smtp; )
00525 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt"; flow:to_client,established; file_data; content:"<MARQUEE"; content:".removeNode"; content:"document.execCommand"; content:"selectAll",within 15; pcre:"/select\s*?id\s*?=[\x22\x27](?P<badelem>\w+).*?<\s*?marquee\s*?id\s*?=\s*?[\x22\x27](?P<badelem2>\w+).*?<\s*?span\s*?id\s*?=[\x22\x27](?P<badelem3>\w+)[\x22\x27].*?[\x22\x27](?P=badelem)[\x22\x27]\x29\s*?\.focus\x28\x29.*?(?P=badelem3)\.innerHTML.*?[\x22\x27](?P=badelem2)[\x22\x27]\x29\s*?\.removeNode\x28\s*?true\x29.*?document\.execCommand\x28[\x22\x27]selectAll/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,54951; reference:cve,2012-2522; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:27220; rev:1; service:http; service:imap; service:pop3; )
00525 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt"; flow:to_client,established; file_data; content:"<MARQUEE"; content:".removeNode"; content:"document.execCommand"; content:"selectAll",within 15; pcre:"/select\s*?id\s*?=[\x22\x27](?P<badelem>\w+).*?<\s*?marquee\s*?id\s*?=\s*?[\x22\x27](?P<badelem2>\w+).*?<\s*?span\s*?id\s*?=[\x22\x27](?P<badelem3>\w+)[\x22\x27].*?[\x22\x27](?P=badelem)[\x22\x27]\x29\s*?\.focus\x28\x29.*?(?P=badelem3)\.innerHTML.*?[\x22\x27](?P=badelem2)[\x22\x27]\x29\s*?\.removeNode\x28\s*?true\x29.*?document\.execCommand\x28[\x22\x27]selectAll/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,54951; reference:cve,2012-2522; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:27220; rev:1; service:http; service:imap; service:pop3; )
00525 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt"; flow:to_client,established; file_data; content:"<MARQUEE"; content:".removeNode"; content:"document.execCommand"; content:"selectAll",within 15; pcre:"/select\s*?id\s*?=[\x22\x27](?P<badelem>\w+).*?<\s*?marquee\s*?id\s*?=\s*?[\x22\x27](?P<badelem2>\w+).*?<\s*?span\s*?id\s*?=[\x22\x27](?P<badelem3>\w+)[\x22\x27].*?[\x22\x27](?P=badelem)[\x22\x27]\x29\s*?\.focus\x28\x29.*?(?P=badelem3)\.innerHTML.*?[\x22\x27](?P=badelem2)[\x22\x27]\x29\s*?\.removeNode\x28\s*?true\x29.*?document\.execCommand\x28[\x22\x27]selectAll/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,54951; reference:cve,2012-2522; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:27220; rev:1; service:http; service:imap; service:pop3; )
00525 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt"; flow:to_client,established; file_data; content:"<MARQUEE"; content:".removeNode"; content:"document.execCommand"; content:"selectAll",within 15; pcre:"/select\s*?id\s*?=[\x22\x27](?P<badelem>\w+).*?<\s*?marquee\s*?id\s*?=\s*?[\x22\x27](?P<badelem2>\w+).*?<\s*?span\s*?id\s*?=[\x22\x27](?P<badelem3>\w+)[\x22\x27].*?[\x22\x27](?P=badelem)[\x22\x27]\x29\s*?\.focus\x28\x29.*?(?P=badelem3)\.innerHTML.*?[\x22\x27](?P=badelem2)[\x22\x27]\x29\s*?\.removeNode\x28\s*?true\x29.*?document\.execCommand\x28[\x22\x27]selectAll/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,54951; reference:cve,2012-2522; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:27220; rev:1; service:http; service:imap; service:pop3; )
00526 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt"; flow:to_server,established; file_data; content:"<MARQUEE"; content:".removeNode",nocase; content:"document.execCommand",nocase; content:"selectAll",within 15,nocase; pcre:"/select\s*?id\s*?=[\x22\x27](?P<badelem>\w+).*?<\s*?marquee\s*?id\s*?=\s*?[\x22\x27](?P<badelem2>\w+).*?<\s*?span\s*?id\s*?=[\x22\x27](?P<badelem3>\w+)[\x22\x27].*?[\x22\x27](?P=badelem)[\x22\x27]\x29\s*?\.focus\x28\x29.*?(?P=badelem3)\.innerHTML.*?[\x22\x27](?P=badelem2)[\x22\x27]\x29\s*?\.removeNode\x28\s*?true\x29.*?document\.execCommand\x28[\x22\x27]selectAll/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,54951; reference:cve,2012-2522; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:27221; rev:1; service:smtp; )
00526 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt"; flow:to_server,established; file_data; content:"<MARQUEE"; content:".removeNode",nocase; content:"document.execCommand",nocase; content:"selectAll",within 15,nocase; pcre:"/select\s*?id\s*?=[\x22\x27](?P<badelem>\w+).*?<\s*?marquee\s*?id\s*?=\s*?[\x22\x27](?P<badelem2>\w+).*?<\s*?span\s*?id\s*?=[\x22\x27](?P<badelem3>\w+)[\x22\x27].*?[\x22\x27](?P=badelem)[\x22\x27]\x29\s*?\.focus\x28\x29.*?(?P=badelem3)\.innerHTML.*?[\x22\x27](?P=badelem2)[\x22\x27]\x29\s*?\.removeNode\x28\s*?true\x29.*?document\.execCommand\x28[\x22\x27]selectAll/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:bugtraq,54951; reference:cve,2012-2522; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:27221; rev:1; service:smtp; )
00527 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER Opera asynchronous document modifications attempted memory corruption"; flow:to_client,established; file_data; content:"function loop|28 29|"; content:"setInterval|28|doit,0|29|",distance 0; content:"function doit|28 29|",distance 0; content:"document.write",distance 0; content:"setInterval|28|loop,0|29|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,secunia.com/advisories/39590/; reference:url,www.opera.com/support/kb/view/953/; classtype:attempted-user; sid:16592; rev:4; service:http; )
00527 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER Opera asynchronous document modifications attempted memory corruption"; flow:to_client,established; file_data; content:"function loop|28 29|"; content:"setInterval|28|doit,0|29|",distance 0; content:"function doit|28 29|",distance 0; content:"document.write",distance 0; content:"setInterval|28|loop,0|29|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,secunia.com/advisories/39590/; reference:url,www.opera.com/support/kb/view/953/; classtype:attempted-user; sid:16592; rev:4; service:http; )
00528 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:" for"; content:"document.createElement(|27|canvas|27|)",within 100,nocase; content:"getContext(|27|2d|27|)",within 200,nocase; content:"createImageData(",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24432; rev:4; service:http; service:imap; service:pop3; )
00528 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:" for"; content:"document.createElement(|27|canvas|27|)",within 100,nocase; content:"getContext(|27|2d|27|)",within 200,nocase; content:"createImageData(",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24432; rev:4; service:http; service:imap; service:pop3; )
00528 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:" for"; content:"document.createElement(|27|canvas|27|)",within 100,nocase; content:"getContext(|27|2d|27|)",within 200,nocase; content:"createImageData(",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24432; rev:4; service:http; service:imap; service:pop3; )
00528 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:" for"; content:"document.createElement(|27|canvas|27|)",within 100,nocase; content:"getContext(|27|2d|27|)",within 200,nocase; content:"createImageData(",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24432; rev:4; service:http; service:imap; service:pop3; )
00529 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:"Uint8ClampedArray(1024*1024)|3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24433; rev:2; service:http; service:imap; service:pop3; )
00529 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:"Uint8ClampedArray(1024*1024)|3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24433; rev:2; service:http; service:imap; service:pop3; )
00529 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:"Uint8ClampedArray(1024*1024)|3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24433; rev:2; service:http; service:imap; service:pop3; )
00529 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:"Uint8ClampedArray(1024*1024)|3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24433; rev:2; service:http; service:imap; service:pop3; )
00530 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER Opera use after free attempt"; flow:to_client,established; file_data; content:"window.opera.collect|28 29|"; content:"<svg"; content:"<clipPath"; content:"document.createElement"; content:"use",within 3,distance 2; pcre:"/\x3cclippath\s*?id\s*?\x3d[\x22\x27](?P<id_name>\w+).*?(\x3ccircle|\x3crect|\x3cellipse|\x3cline|\x3cpolyline|\x3cpolygon)\s*?id\s*?\x3d\s*?[\x22\x27](?P<shape_name>\w+).*?document\x2egetElementById\x28[\x22\x27](?P=shape_name).*?\x3d\s*[\x22\x27]url\x28\x23(?P=id_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,pastie.org/6029531#32; classtype:attempted-user; sid:25621; rev:1; service:http; service:imap; service:pop3; )
00530 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER Opera use after free attempt"; flow:to_client,established; file_data; content:"window.opera.collect|28 29|"; content:"<svg"; content:"<clipPath"; content:"document.createElement"; content:"use",within 3,distance 2; pcre:"/\x3cclippath\s*?id\s*?\x3d[\x22\x27](?P<id_name>\w+).*?(\x3ccircle|\x3crect|\x3cellipse|\x3cline|\x3cpolyline|\x3cpolygon)\s*?id\s*?\x3d\s*?[\x22\x27](?P<shape_name>\w+).*?document\x2egetElementById\x28[\x22\x27](?P=shape_name).*?\x3d\s*[\x22\x27]url\x28\x23(?P=id_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,pastie.org/6029531#32; classtype:attempted-user; sid:25621; rev:1; service:http; service:imap; service:pop3; )
00530 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER Opera use after free attempt"; flow:to_client,established; file_data; content:"window.opera.collect|28 29|"; content:"<svg"; content:"<clipPath"; content:"document.createElement"; content:"use",within 3,distance 2; pcre:"/\x3cclippath\s*?id\s*?\x3d[\x22\x27](?P<id_name>\w+).*?(\x3ccircle|\x3crect|\x3cellipse|\x3cline|\x3cpolyline|\x3cpolygon)\s*?id\s*?\x3d\s*?[\x22\x27](?P<shape_name>\w+).*?document\x2egetElementById\x28[\x22\x27](?P=shape_name).*?\x3d\s*[\x22\x27]url\x28\x23(?P=id_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,pastie.org/6029531#32; classtype:attempted-user; sid:25621; rev:1; service:http; service:imap; service:pop3; )
00530 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER Opera use after free attempt"; flow:to_client,established; file_data; content:"window.opera.collect|28 29|"; content:"<svg"; content:"<clipPath"; content:"document.createElement"; content:"use",within 3,distance 2; pcre:"/\x3cclippath\s*?id\s*?\x3d[\x22\x27](?P<id_name>\w+).*?(\x3ccircle|\x3crect|\x3cellipse|\x3cline|\x3cpolyline|\x3cpolygon)\s*?id\s*?\x3d\s*?[\x22\x27](?P<shape_name>\w+).*?document\x2egetElementById\x28[\x22\x27](?P=shape_name).*?\x3d\s*[\x22\x27]url\x28\x23(?P=id_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,pastie.org/6029531#32; classtype:attempted-user; sid:25621; rev:1; service:http; service:imap; service:pop3; )
00531 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-OTHER Opera use after free attempt"; flow:to_server,established; file_data; content:"window.opera.collect|28 29|"; content:"<svg"; content:"<clipPath"; content:"document.createElement"; content:"use",within 3,distance 2; pcre:"/\x3cclippath\s*?id\s*?\x3d[\x22\x27](?P<id_name>\w+).*?(\x3ccircle|\x3crect|\x3cellipse|\x3cline|\x3cpolyline|\x3cpolygon)\s*?id\s*?\x3d\s*?[\x22\x27](?P<shape_name>\w+).*?document\x2egetElementById\x28[\x22\x27](?P=shape_name).*?\x3d\s*[\x22\x27]url\x28\x23(?P=id_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,pastie.org/6029531#32; classtype:attempted-user; sid:25622; rev:1; service:smtp; )
00531 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-OTHER Opera use after free attempt"; flow:to_server,established; file_data; content:"window.opera.collect|28 29|"; content:"<svg"; content:"<clipPath"; content:"document.createElement"; content:"use",within 3,distance 2; pcre:"/\x3cclippath\s*?id\s*?\x3d[\x22\x27](?P<id_name>\w+).*?(\x3ccircle|\x3crect|\x3cellipse|\x3cline|\x3cpolyline|\x3cpolygon)\s*?id\s*?\x3d\s*?[\x22\x27](?P<shape_name>\w+).*?document\x2egetElementById\x28[\x22\x27](?P=shape_name).*?\x3d\s*[\x22\x27]url\x28\x23(?P=id_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service smtp; reference:url,pastie.org/6029531#32; classtype:attempted-user; sid:25622; rev:1; service:smtp; )
00532 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknow compression algorithm use arbitrary code execution attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6",nocase; content:"SendPlayStateChangeEvents",fast_pattern,nocase; content:"event=|22|playStateChange|28|state|29 22|>onstatechange",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-027; classtype:attempted-user; sid:16537; rev:7; service:http; )
00532 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknow compression algorithm use arbitrary code execution attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6",nocase; content:"SendPlayStateChangeEvents",fast_pattern,nocase; content:"event=|22|playStateChange|28|state|29 22|>onstatechange",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-027; classtype:attempted-user; sid:16537; rev:7; service:http; )
00533 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS FileSystemObject function call"; flow:to_client,established; file_data; content:"Scripting.FileSystemObject"; content:"<script",nocase; content:"Scripting.FileSystemObject",distance 0,nocase; content:"</script>",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-3934; classtype:policy-violation; sid:21447; rev:4; service:http; )
00533 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS FileSystemObject function call"; flow:to_client,established; file_data; content:"Scripting.FileSystemObject"; content:"<script",nocase; content:"Scripting.FileSystemObject",distance 0,nocase; content:"</script>",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-3934; classtype:policy-violation; sid:21447; rev:4; service:http; )
00534 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft DirectShow ActiveX exploit via JavaScript"; flow:to_client,established; file_data; content:".classid='clsid|3A|0955AC62-BF2E-4CBA-A2B9-A63F772D46CF'|3B|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-032; classtype:attempted-user; sid:15678; rev:8; service:http; )
00534 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft DirectShow ActiveX exploit via JavaScript"; flow:to_client,established; file_data; content:".classid='clsid|3A|0955AC62-BF2E-4CBA-A2B9-A63F772D46CF'|3B|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-032; classtype:attempted-user; sid:15678; rev:8; service:http; )
00535 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS iseemedia LPViewer ActiveX buffer overflows attempt"; flow:to_client,established; file_data; content:"url"; content:"toolbar",distance 0; content:"enableZoomPastMax",distance 0; content:"classid=|22|clsid|3A|{3F0EECCE-E138-11D1-8712-0060083D83F5}",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:16589; rev:4; service:http; )
00535 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS iseemedia LPViewer ActiveX buffer overflows attempt"; flow:to_client,established; file_data; content:"url"; content:"toolbar",distance 0; content:"enableZoomPastMax",distance 0; content:"classid=|22|clsid|3A|{3F0EECCE-E138-11D1-8712-0060083D83F5}",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:16589; rev:4; service:http; )
00536 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AtHocGov IWSAlerts ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"AtHocGovGSTlBar.GSHelper.1"; content:".CompleteInstallation|28|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.fortiguard.com/encyclopedia/vulnerability/athocgov.iwsalerts.activex.buffer.overflow.html; classtype:attempted-user; sid:16599; rev:5; service:http; )
00536 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AtHocGov IWSAlerts ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"AtHocGovGSTlBar.GSHelper.1"; content:".CompleteInstallation|28|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.fortiguard.com/encyclopedia/vulnerability/athocgov.iwsalerts.activex.buffer.overflow.html; classtype:attempted-user; sid:16599; rev:5; service:http; )
00537 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS SaschArt SasCam Webcam Server ActiveX control exploit attempt"; flow:to_client,established; file_data; content:"clsid|3A|0297D24A-F425-47EE-9F3B-A459BCE593E3",nocase; content:"unescape|28|",within 300,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33053; reference:cve,2008-6898; classtype:attempted-user; sid:16715; rev:3; service:http; )
00537 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS SaschArt SasCam Webcam Server ActiveX control exploit attempt"; flow:to_client,established; file_data; content:"clsid|3A|0297D24A-F425-47EE-9F3B-A459BCE593E3",nocase; content:"unescape|28|",within 300,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33053; reference:cve,2008-6898; classtype:attempted-user; sid:16715; rev:3; service:http; )
00538 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Works WkImgSrv.dll ActiveX control code execution attempt"; flow:to_client,established; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; file_data; content:"WksPictureInterface"; pcre:"/var num \x3D (-1|168430090)\x3B/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28820; reference:cve,2008-1898; classtype:attempted-user; sid:16740; rev:4; service:http; )
00538 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Works WkImgSrv.dll ActiveX control code execution attempt"; flow:to_client,established; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; file_data; content:"WksPictureInterface"; pcre:"/var num \x3D (-1|168430090)\x3B/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28820; reference:cve,2008-1898; classtype:attempted-user; sid:16740; rev:4; service:http; )
00539 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AwingSoft Web3D Player WindsPlayerIE.View.1 ActiveX SceneURL method overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|17A54E7D-A9D4-11D8-9552-00E04CB09903|27|"; content:"unescape|28 27 25|u",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-4588; classtype:attempted-user; sid:16771; rev:4; service:http; )
00539 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AwingSoft Web3D Player WindsPlayerIE.View.1 ActiveX SceneURL method overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|17A54E7D-A9D4-11D8-9552-00E04CB09903|27|"; content:"unescape|28 27 25|u",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-4588; classtype:attempted-user; sid:16771; rev:4; service:http; )
00540 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Chilkat Crypt 2 ActiveX object access attempt"; flow:to_client,established; file_data; content:"|3D| new ActiveXObject|28 22|ChilkatCrypt2|2E|ChilkatCrypt2|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:16789; rev:6; service:http; )
00540 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Chilkat Crypt 2 ActiveX object access attempt"; flow:to_client,established; file_data; content:"|3D| new ActiveXObject|28 22|ChilkatCrypt2|2E|ChilkatCrypt2|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:16789; rev:6; service:http; )
00541 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Chilkat Crypt 2 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|3352B5B9-82E8-4FFD-9EB1-1A3E60056904|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:16790; rev:6; service:http; )
00541 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Chilkat Crypt 2 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|3352B5B9-82E8-4FFD-9EB1-1A3E60056904|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:16790; rev:6; service:http; )
00542 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Roxio CinePlayer SonicDVDDashVRNav.dll ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"9F1363DA-0220-462E-B923-9E3C9038896F"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,23412; reference:cve,2007-1559; classtype:attempted-user; sid:17060; rev:4; service:http; )
00542 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Roxio CinePlayer SonicDVDDashVRNav.dll ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"9F1363DA-0220-462E-B923-9E3C9038896F"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,23412; reference:cve,2007-1559; classtype:attempted-user; sid:17060; rev:4; service:http; )
00543 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Creative Software AutoUpdate Engine CTSUEng.ocx ActiveX control access attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|0A5FD7C5-A45C-49FC-ADB5-9952547D5715|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,29391; reference:cve,2008-0955; classtype:attempted-user; sid:17086; rev:4; service:http; service:imap; service:pop3; )
00543 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Creative Software AutoUpdate Engine CTSUEng.ocx ActiveX control access attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|0A5FD7C5-A45C-49FC-ADB5-9952547D5715|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,29391; reference:cve,2008-0955; classtype:attempted-user; sid:17086; rev:4; service:http; service:imap; service:pop3; )
00543 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Creative Software AutoUpdate Engine CTSUEng.ocx ActiveX control access attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|0A5FD7C5-A45C-49FC-ADB5-9952547D5715|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,29391; reference:cve,2008-0955; classtype:attempted-user; sid:17086; rev:4; service:http; service:imap; service:pop3; )
00543 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Creative Software AutoUpdate Engine CTSUEng.ocx ActiveX control access attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|0A5FD7C5-A45C-49FC-ADB5-9952547D5715|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,29391; reference:cve,2008-0955; classtype:attempted-user; sid:17086; rev:4; service:http; service:imap; service:pop3; )
00544 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS VeryDOC PDF Viewer ActiveX control OpenPDF buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|433268D7-2CD4-43E6-AA24-2188672E7252|27|"; content:"unescape|28 27 25|u",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32313; reference:cve,2008-5492; classtype:attempted-user; sid:17091; rev:5; service:http; )
00544 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS VeryDOC PDF Viewer ActiveX control OpenPDF buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|433268D7-2CD4-43E6-AA24-2188672E7252|27|"; content:"unescape|28 27 25|u",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32313; reference:cve,2008-5492; classtype:attempted-user; sid:17091; rev:5; service:http; )
00545 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AOL IWinAmpActiveX class ConvertFile buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6|27|"; content:"ConvertFile"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35028; classtype:attempted-user; sid:17098; rev:4; service:http; )
00545 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AOL IWinAmpActiveX class ConvertFile buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6|27|"; content:"ConvertFile"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35028; classtype:attempted-user; sid:17098; rev:4; service:http; )
00546 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS RealNetworks RealPlayer ActiveX Import playlist name buffer overflow attempt"; flow:to_client,established; file_data; content:"FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; content:"aaaaaaaaaaaaaaaaaa",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26130; reference:cve,2007-5601; classtype:attempted-user; sid:17425; rev:6; service:http; )
00546 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS RealNetworks RealPlayer ActiveX Import playlist name buffer overflow attempt"; flow:to_client,established; file_data; content:"FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; content:"aaaaaaaaaaaaaaaaaa",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26130; reference:cve,2007-5601; classtype:attempted-user; sid:17425; rev:6; service:http; )
00547 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Macrovision InstallShield Update Service ActiveX exploit attempt"; flow:to_client,established; file_data; content:"E9880553-B8A7-4960-A668-95C68BED571E"; content:"unescape|28 27 25 75 34|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26280; reference:bugtraq,31235; reference:cve,2007-5660; reference:url,support.installshield.com/kb/view.asp?articleid=Q113602; classtype:attempted-user; sid:17555; rev:5; service:http; )
00547 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Macrovision InstallShield Update Service ActiveX exploit attempt"; flow:to_client,established; file_data; content:"E9880553-B8A7-4960-A668-95C68BED571E"; content:"unescape|28 27 25 75 34|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26280; reference:bugtraq,31235; reference:cve,2007-5660; reference:url,support.installshield.com/kb/view.asp?articleid=Q113602; classtype:attempted-user; sid:17555; rev:5; service:http; )
00548 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Symantec Backup Exec ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"clsid|3A|22ACD16F-99EB-11D2-9BB3-00400561D975"; content:"unescape|28|"; content:"|25|u",within 5; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26904; reference:cve,2007-6016; classtype:attempted-user; sid:16672; rev:6; service:http; )
00548 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Symantec Backup Exec ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"clsid|3A|22ACD16F-99EB-11D2-9BB3-00400561D975"; content:"unescape|28|"; content:"|25|u",within 5; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26904; reference:cve,2007-6016; classtype:attempted-user; sid:16672; rev:6; service:http; )
00549 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX exploit attempt"; flow:to_client,established; file_data; content:"5C6698D9-7BE4-4122-8EC5-291D84DBD4A0"; content:"unescape|28 22 25|u",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,27534; reference:bugtraq,27756; reference:cve,2008-5711; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:17654; rev:7; service:http; )
00549 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX exploit attempt"; flow:to_client,established; file_data; content:"5C6698D9-7BE4-4122-8EC5-291D84DBD4A0"; content:"unescape|28 22 25|u",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,27534; reference:bugtraq,27756; reference:cve,2008-5711; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:17654; rev:7; service:http; )
00550 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Office Viewer ActiveX arbitrary command execution attempt"; flow:to_client,established; file_data; content:"18A295DA-088E-42D1-BE31-5028D7F9B9B5",nocase; content:"targetObject.OpenWebFile|28|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:bugtraq,23811; reference:bugtraq,33238; reference:bugtraq,33243; reference:bugtraq,33245; reference:cve,2007-2588; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html; classtype:attempted-user; sid:17701; rev:5; service:http; )
00550 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Office Viewer ActiveX arbitrary command execution attempt"; flow:to_client,established; file_data; content:"18A295DA-088E-42D1-BE31-5028D7F9B9B5",nocase; content:"targetObject.OpenWebFile|28|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:bugtraq,23811; reference:bugtraq,33238; reference:bugtraq,33243; reference:bugtraq,33245; reference:cve,2007-2588; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html; classtype:attempted-user; sid:17701; rev:5; service:http; )
00551 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknow compression algorithm use arbitrary code execution attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6",nocase; content:"poc|2E|avi",fast_pattern,nocase; content:"event|3D 22|playStateChange|28|foo|29 22 3E|boom",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-027; classtype:attempted-user; sid:18542; rev:6; service:http; )
00551 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknow compression algorithm use arbitrary code execution attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6",nocase; content:"poc|2E|avi",fast_pattern,nocase; content:"event|3D 22|playStateChange|28|foo|29 22 3E|boom",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-027; classtype:attempted-user; sid:18542; rev:6; service:http; )
00552 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Common Controls Animation Object ActiveX clsid access"; flow:to_client,established; file_data; content:"path|20 3D 20|theForm|2E|address|2E|value|3B|"; content:"ctrl|2E|Open|28|path|29 3B|",distance 0; content:"classid|3D 27|clsid|3A|B09DE715|2D|87C1|2D|11D1|2D|8BE3|2D|0000F8754DA1|27 20|id|3D 27|ctrl|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32613; reference:cve,2008-4255; classtype:attempted-user; sid:18601; rev:4; service:http; )
00552 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Common Controls Animation Object ActiveX clsid access"; flow:to_client,established; file_data; content:"path|20 3D 20|theForm|2E|address|2E|value|3B|"; content:"ctrl|2E|Open|28|path|29 3B|",distance 0; content:"classid|3D 27|clsid|3A|B09DE715|2D|87C1|2D|11D1|2D|8BE3|2D|0000F8754DA1|27 20|id|3D 27|ctrl|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32613; reference:cve,2008-4255; classtype:attempted-user; sid:18601; rev:4; service:http; )
00553 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS iseemedia LPViewer ActiveX exploit attempt"; flow:to_client,established; file_data; content:"ActiveXObject|28|'LPViewer.LPViewer.1'|29|"; content:"unescape",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:16588; rev:5; service:http; )
00553 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS iseemedia LPViewer ActiveX exploit attempt"; flow:to_client,established; file_data; content:"ActiveXObject|28|'LPViewer.LPViewer.1'|29|"; content:"unescape",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:16588; rev:5; service:http; )
00554 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Works WkImgSrv.dll ActiveX control exploit attempt"; flow:to_client,established; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; file_data; content:"WksPictureInterface"; content:"num|20 3D 20|168430090"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28820; reference:cve,2008-1898; classtype:attempted-user; sid:20901; rev:4; service:http; )
00554 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Works WkImgSrv.dll ActiveX control exploit attempt"; flow:to_client,established; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; file_data; content:"WksPictureInterface"; content:"num|20 3D 20|168430090"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28820; reference:cve,2008-1898; classtype:attempted-user; sid:20901; rev:4; service:http; )
00555 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23376; rev:3; service:http; service:imap; service:pop3; )
00555 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23376; rev:3; service:http; service:imap; service:pop3; )
00555 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23376; rev:3; service:http; service:imap; service:pop3; )
00555 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23376; rev:3; service:http; service:imap; service:pop3; )
00556 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"FAB9B41C-87D6-474D-AB7E-F07D78F2422E"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FAB9B41C-87D6-474D-AB7E-F07D78F2422E\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23375; rev:3; service:http; service:imap; service:pop3; )
00556 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"FAB9B41C-87D6-474D-AB7E-F07D78F2422E"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FAB9B41C-87D6-474D-AB7E-F07D78F2422E\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23375; rev:3; service:http; service:imap; service:pop3; )
00556 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"FAB9B41C-87D6-474D-AB7E-F07D78F2422E"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FAB9B41C-87D6-474D-AB7E-F07D78F2422E\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23375; rev:3; service:http; service:imap; service:pop3; )
00556 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"FAB9B41C-87D6-474D-AB7E-F07D78F2422E"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FAB9B41C-87D6-474D-AB7E-F07D78F2422E\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23375; rev:3; service:http; service:imap; service:pop3; )
00557 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"536600D3-70FE-4C50-92FB-640F6BFC49AD"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*536600D3-70FE-4C50-92FB-640F6BFC49AD\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23374; rev:3; service:http; service:imap; service:pop3; )
00557 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"536600D3-70FE-4C50-92FB-640F6BFC49AD"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*536600D3-70FE-4C50-92FB-640F6BFC49AD\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23374; rev:3; service:http; service:imap; service:pop3; )
00557 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"536600D3-70FE-4C50-92FB-640F6BFC49AD"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*536600D3-70FE-4C50-92FB-640F6BFC49AD\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23374; rev:3; service:http; service:imap; service:pop3; )
00557 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"536600D3-70FE-4C50-92FB-640F6BFC49AD"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*536600D3-70FE-4C50-92FB-640F6BFC49AD\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23374; rev:3; service:http; service:imap; service:pop3; )
00558 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"B6C10489-FB89-11D4-93C9-006008A7EED4"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B6C10489-FB89-11D4-93C9-006008A7EED4\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23373; rev:3; service:http; service:imap; service:pop3; )
00558 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"B6C10489-FB89-11D4-93C9-006008A7EED4"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B6C10489-FB89-11D4-93C9-006008A7EED4\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23373; rev:3; service:http; service:imap; service:pop3; )
00558 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"B6C10489-FB89-11D4-93C9-006008A7EED4"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B6C10489-FB89-11D4-93C9-006008A7EED4\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23373; rev:3; service:http; service:imap; service:pop3; )
00558 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"B6C10489-FB89-11D4-93C9-006008A7EED4"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B6C10489-FB89-11D4-93C9-006008A7EED4\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23373; rev:3; service:http; service:imap; service:pop3; )
00559 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"FCB4B50A-E3F1-4174-BD18-54C3B3287258"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FCB4B50A-E3F1-4174-BD18-54C3B3287258\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23372; rev:3; service:http; service:imap; service:pop3; )
00559 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"FCB4B50A-E3F1-4174-BD18-54C3B3287258"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FCB4B50A-E3F1-4174-BD18-54C3B3287258\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23372; rev:3; service:http; service:imap; service:pop3; )
00559 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"FCB4B50A-E3F1-4174-BD18-54C3B3287258"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FCB4B50A-E3F1-4174-BD18-54C3B3287258\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23372; rev:3; service:http; service:imap; service:pop3; )
00559 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"FCB4B50A-E3F1-4174-BD18-54C3B3287258"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FCB4B50A-E3F1-4174-BD18-54C3B3287258\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23372; rev:3; service:http; service:imap; service:pop3; )
00560 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.6.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.6\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23304; rev:3; service:http; service:imap; service:pop3; )
00560 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.6.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.6\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23304; rev:3; service:http; service:imap; service:pop3; )
00560 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.6.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.6\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23304; rev:3; service:http; service:imap; service:pop3; )
00560 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.6.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.6\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23304; rev:3; service:http; service:imap; service:pop3; )
00561 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d96a06-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23303; rev:2; service:http; service:imap; service:pop3; )
00561 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d96a06-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23303; rev:2; service:http; service:imap; service:pop3; )
00561 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d96a06-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23303; rev:2; service:http; service:imap; service:pop3; )
00561 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d96a06-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23303; rev:2; service:http; service:imap; service:pop3; )
00562 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.6.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.6\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23302; rev:3; service:http; service:imap; service:pop3; )
00562 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.6.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.6\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23302; rev:3; service:http; service:imap; service:pop3; )
00562 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.6.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.6\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23302; rev:3; service:http; service:imap; service:pop3; )
00562 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.6.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.6\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23302; rev:3; service:http; service:imap; service:pop3; )
00563 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.5.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.5\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23301; rev:3; service:http; service:imap; service:pop3; )
00563 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.5.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.5\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23301; rev:3; service:http; service:imap; service:pop3; )
00563 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.5.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.5\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23301; rev:3; service:http; service:imap; service:pop3; )
00563 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.5.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.5\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23301; rev:3; service:http; service:imap; service:pop3; )
00564 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969e6-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23300; rev:2; service:http; service:imap; service:pop3; )
00564 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969e6-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23300; rev:2; service:http; service:imap; service:pop3; )
00564 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969e6-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23300; rev:2; service:http; service:imap; service:pop3; )
00564 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969e6-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23300; rev:2; service:http; service:imap; service:pop3; )
00565 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.5.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.5\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23299; rev:3; service:http; service:imap; service:pop3; )
00565 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.5.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.5\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23299; rev:3; service:http; service:imap; service:pop3; )
00565 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.5.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.5\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23299; rev:3; service:http; service:imap; service:pop3; )
00565 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.5.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.5\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23299; rev:3; service:http; service:imap; service:pop3; )
00566 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.4.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.4\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23298; rev:3; service:http; service:imap; service:pop3; )
00566 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.4.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.4\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23298; rev:3; service:http; service:imap; service:pop3; )
00566 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.4.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.4\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23298; rev:3; service:http; service:imap; service:pop3; )
00566 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.4.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.4\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23298; rev:3; service:http; service:imap; service:pop3; )
00567 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969c1-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23297; rev:2; service:http; service:imap; service:pop3; )
00567 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969c1-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23297; rev:2; service:http; service:imap; service:pop3; )
00567 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969c1-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23297; rev:2; service:http; service:imap; service:pop3; )
00567 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969c1-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23297; rev:2; service:http; service:imap; service:pop3; )
00568 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.4.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.4\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23296; rev:3; service:http; service:imap; service:pop3; )
00568 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.4.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.4\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23296; rev:3; service:http; service:imap; service:pop3; )
00568 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.4.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.4\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23296; rev:3; service:http; service:imap; service:pop3; )
00568 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.4.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.4\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23296; rev:3; service:http; service:imap; service:pop3; )
00569 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"MSXML2.FreeThreadedDOMDocument"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))MSXML2\.FreeThreadedDOMDocument(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23295; rev:3; service:http; service:imap; service:pop3; )
00569 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"MSXML2.FreeThreadedDOMDocument"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))MSXML2\.FreeThreadedDOMDocument(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23295; rev:3; service:http; service:imap; service:pop3; )
00569 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"MSXML2.FreeThreadedDOMDocument"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))MSXML2\.FreeThreadedDOMDocument(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23295; rev:3; service:http; service:imap; service:pop3; )
00569 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"MSXML2.FreeThreadedDOMDocument"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))MSXML2\.FreeThreadedDOMDocument(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23295; rev:3; service:http; service:imap; service:pop3; )
00570 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23294; rev:2; service:http; service:imap; service:pop3; )
00570 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23294; rev:2; service:http; service:imap; service:pop3; )
00570 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23294; rev:2; service:http; service:imap; service:pop3; )
00570 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23294; rev:2; service:http; service:imap; service:pop3; )
00571 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.3.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.3\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23293; rev:3; service:http; service:imap; service:pop3; )
00571 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.3.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.3\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23293; rev:3; service:http; service:imap; service:pop3; )
00571 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.3.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.3\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23293; rev:3; service:http; service:imap; service:pop3; )
00571 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.3.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.3\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23293; rev:3; service:http; service:imap; service:pop3; )
00572 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f5078f33-c551-11d3-89b9-0000f81fe221"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23292; rev:2; service:http; service:imap; service:pop3; )
00572 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f5078f33-c551-11d3-89b9-0000f81fe221"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23292; rev:2; service:http; service:imap; service:pop3; )
00572 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f5078f33-c551-11d3-89b9-0000f81fe221"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23292; rev:2; service:http; service:imap; service:pop3; )
00572 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f5078f33-c551-11d3-89b9-0000f81fe221"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23292; rev:2; service:http; service:imap; service:pop3; )
00573 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23291; rev:3; service:http; service:imap; service:pop3; )
00573 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23291; rev:3; service:http; service:imap; service:pop3; )
00573 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23291; rev:3; service:http; service:imap; service:pop3; )
00573 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23291; rev:3; service:http; service:imap; service:pop3; )
00574 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.3.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.3\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23290; rev:3; service:http; service:imap; service:pop3; )
00574 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.3.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.3\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23290; rev:3; service:http; service:imap; service:pop3; )
00574 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.3.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.3\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23290; rev:3; service:http; service:imap; service:pop3; )
00574 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.3.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.3\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23290; rev:3; service:http; service:imap; service:pop3; )
00575 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.FreeThreadedXMLDOM.1.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Microsoft\.FreeThreadedXMLDOM\.1\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23289; rev:3; service:http; service:imap; service:pop3; )
00575 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.FreeThreadedXMLDOM.1.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Microsoft\.FreeThreadedXMLDOM\.1\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23289; rev:3; service:http; service:imap; service:pop3; )
00575 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.FreeThreadedXMLDOM.1.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Microsoft\.FreeThreadedXMLDOM\.1\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23289; rev:3; service:http; service:imap; service:pop3; )
00575 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.FreeThreadedXMLDOM.1.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Microsoft\.FreeThreadedXMLDOM\.1\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23289; rev:3; service:http; service:imap; service:pop3; )
00576 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2933bf91-7b36-11d2-b20e-00c04f983e60"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23288; rev:2; service:http; service:imap; service:pop3; )
00576 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2933bf91-7b36-11d2-b20e-00c04f983e60"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23288; rev:2; service:http; service:imap; service:pop3; )
00576 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2933bf91-7b36-11d2-b20e-00c04f983e60"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23288; rev:2; service:http; service:imap; service:pop3; )
00576 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2933bf91-7b36-11d2-b20e-00c04f983e60"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23288; rev:2; service:http; service:imap; service:pop3; )
00577 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.XMLDOM.1.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Microsoft\.XMLDOM\.1\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23287; rev:3; service:http; service:imap; service:pop3; )
00577 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.XMLDOM.1.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Microsoft\.XMLDOM\.1\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23287; rev:3; service:http; service:imap; service:pop3; )
00577 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.XMLDOM.1.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Microsoft\.XMLDOM\.1\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23287; rev:3; service:http; service:imap; service:pop3; )
00577 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.XMLDOM.1.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Microsoft\.XMLDOM\.1\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23287; rev:3; service:http; service:imap; service:pop3; )
00578 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2933bf90-7b36-11d2-b20e-00c04f983e60"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23286; rev:2; service:http; service:imap; service:pop3; )
00578 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2933bf90-7b36-11d2-b20e-00c04f983e60"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23286; rev:2; service:http; service:imap; service:pop3; )
00578 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2933bf90-7b36-11d2-b20e-00c04f983e60"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23286; rev:2; service:http; service:imap; service:pop3; )
00578 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2933bf90-7b36-11d2-b20e-00c04f983e60"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23286; rev:2; service:http; service:imap; service:pop3; )
00579 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d96a05-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23146; rev:3; service:http; service:imap; service:pop3; )
00579 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d96a05-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23146; rev:3; service:http; service:imap; service:pop3; )
00579 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d96a05-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23146; rev:3; service:http; service:imap; service:pop3; )
00579 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d96a05-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23146; rev:3; service:http; service:imap; service:pop3; )
00580 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969e5-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23145; rev:3; service:http; service:imap; service:pop3; )
00580 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969e5-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23145; rev:3; service:http; service:imap; service:pop3; )
00580 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969e5-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23145; rev:3; service:http; service:imap; service:pop3; )
00580 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969e5-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23145; rev:3; service:http; service:imap; service:pop3; )
00581 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969c0-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23144; rev:3; service:http; service:imap; service:pop3; )
00581 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969c0-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23144; rev:3; service:http; service:imap; service:pop3; )
00581 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969c0-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23144; rev:3; service:http; service:imap; service:pop3; )
00581 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969c0-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23144; rev:3; service:http; service:imap; service:pop3; )
00582 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f5078f32-c551-11d3-89b9-0000f81fe221"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23143; rev:3; service:http; service:imap; service:pop3; )
00582 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f5078f32-c551-11d3-89b9-0000f81fe221"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23143; rev:3; service:http; service:imap; service:pop3; )
00582 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f5078f32-c551-11d3-89b9-0000f81fe221"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23143; rev:3; service:http; service:imap; service:pop3; )
00582 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f5078f32-c551-11d3-89b9-0000f81fe221"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23143; rev:3; service:http; service:imap; service:pop3; )
00583 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f6d90f11-9c73-11d3-b32e-00c04f990bb4"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23142; rev:3; service:http; service:imap; service:pop3; )
00583 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f6d90f11-9c73-11d3-b32e-00c04f990bb4"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23142; rev:3; service:http; service:imap; service:pop3; )
00583 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f6d90f11-9c73-11d3-b32e-00c04f990bb4"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23142; rev:3; service:http; service:imap; service:pop3; )
00583 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f6d90f11-9c73-11d3-b32e-00c04f990bb4"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23142; rev:3; service:http; service:imap; service:pop3; )
00584 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX function call access"; flow:to_client,established; file_data; content:"WMEnc.WMEncProfileManager"; pcre:"/(?P<c>\w+)\s*=\s*(\x22WMEnc\.WMEncProfileManager\x22|\x27WMEnc\.WMEncProfileManager\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*GetDetailsString\s*|.*(?P=v)\s*\.\s*GetDetailsString\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WMEnc\.WMEncProfileManager\x22|\x27WMEnc\.WMEncProfileManager\x27)\s*\)(\s*\.\s*GetDetailsString\s*|.*(?P=n)\s*\.\s*GetDetailsString\s*)\s*\(/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:14257; rev:8; service:http; )
00584 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX function call access"; flow:to_client,established; file_data; content:"WMEnc.WMEncProfileManager"; pcre:"/(?P<c>\w+)\s*=\s*(\x22WMEnc\.WMEncProfileManager\x22|\x27WMEnc\.WMEncProfileManager\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*GetDetailsString\s*|.*(?P=v)\s*\.\s*GetDetailsString\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WMEnc\.WMEncProfileManager\x22|\x27WMEnc\.WMEncProfileManager\x27)\s*\)(\s*\.\s*GetDetailsString\s*|.*(?P=n)\s*\.\s*GetDetailsString\s*)\s*\(/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:14257; rev:8; service:http; )
00585 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX clsid access"; flow:to_client,established; file_data; content:"A8D3AD02-7508-4004-B2E9-AD33F087F43C",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A8D3AD02-7508-4004-B2E9-AD33F087F43C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetDetailsString)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A8D3AD02-7508-4004-B2E9-AD33F087F43C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetDetailsString))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:14255; rev:9; service:http; )
00585 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX clsid access"; flow:to_client,established; file_data; content:"A8D3AD02-7508-4004-B2E9-AD33F087F43C",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A8D3AD02-7508-4004-B2E9-AD33F087F43C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetDetailsString)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A8D3AD02-7508-4004-B2E9-AD33F087F43C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetDetailsString))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:14255; rev:9; service:http; )
00586 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control ActiveX function call access"; flow:to_client,established; file_data; content:"HxVz.HxTocCtrl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HxVz\.HxTocCtrl\x22|\x27HxVz\.HxTocCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HxVz\.HxTocCtrl\x22|\x27HxVz\.HxTocCtrl\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13670; rev:8; service:http; )
00586 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control ActiveX function call access"; flow:to_client,established; file_data; content:"HxVz.HxTocCtrl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HxVz\.HxTocCtrl\x22|\x27HxVz\.HxTocCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HxVz\.HxTocCtrl\x22|\x27HxVz\.HxTocCtrl\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13670; rev:8; service:http; )
00587 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control ActiveX clsid access"; flow:to_client,established; file_data; content:"314111b8-a502-11d2-bbca-00c04f8ec294",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*314111b8-a502-11d2-bbca-00c04f8ec294\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13668; rev:8; service:http; )
00587 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control ActiveX clsid access"; flow:to_client,established; file_data; content:"314111b8-a502-11d2-bbca-00c04f8ec294",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*314111b8-a502-11d2-bbca-00c04f8ec294\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13668; rev:8; service:http; )
00588 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control 2 ActiveX function call access"; flow:to_client,established; file_data; content:"HxVz.HxIndexCtrl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HxVz\.HxIndexCtrl\x22|\x27HxVz\.HxIndexCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HxVz\.HxIndexCtrl\x22|\x27HxVz\.HxIndexCtrl\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13674; rev:8; service:http; )
00588 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control 2 ActiveX function call access"; flow:to_client,established; file_data; content:"HxVz.HxIndexCtrl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HxVz\.HxIndexCtrl\x22|\x27HxVz\.HxIndexCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HxVz\.HxIndexCtrl\x22|\x27HxVz\.HxIndexCtrl\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13674; rev:8; service:http; )
00589 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"314111c6-a502-11d2-bbca-00c04f8ec294",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*314111c6-a502-11d2-bbca-00c04f8ec294\s*}?\s*(?P=q5)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13672; rev:8; service:http; )
00589 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"314111c6-a502-11d2-bbca-00c04f8ec294",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*314111c6-a502-11d2-bbca-00c04f8ec294\s*}?\s*(?P=q5)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13672; rev:8; service:http; )
00590 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Forms 2.0 ActiveX function call access"; flow:to_client,established; file_data; content:"Forms.Image"; pcre:"/(?P<c>\w+)\s*=\s*(\x22Forms\.Image\x22|\x27Forms\.Image\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Forms\.Image\x22|\x27Forms\.Image\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-008; classtype:attempted-user; sid:13459; rev:8; service:http; )
00590 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Forms 2.0 ActiveX function call access"; flow:to_client,established; file_data; content:"Forms.Image"; pcre:"/(?P<c>\w+)\s*=\s*(\x22Forms\.Image\x22|\x27Forms\.Image\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Forms\.Image\x22|\x27Forms\.Image\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-008; classtype:attempted-user; sid:13459; rev:8; service:http; )
00591 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Forms 2.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"4C599241-6926-101B-9992-00000B65C6F9",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4C599241-6926-101B-9992-00000B65C6F9\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-008; classtype:attempted-user; sid:13457; rev:8; service:http; )
00591 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Forms 2.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"4C599241-6926-101B-9992-00000B65C6F9",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4C599241-6926-101B-9992-00000B65C6F9\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-008; classtype:attempted-user; sid:13457; rev:8; service:http; )
00592 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX function call access"; flow:to_client,established; file_data; content:"MSHierarchicalFlexGridLib.MSHFlexGrid",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x22|\x27MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Rows\s*|.*(?P=v)\s*\.\s*Rows\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x22|\x27MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x27)\s*\)(\s*\.\s*Rows\s*|.*(?P=n)\s*\.\s*Rows)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15102; rev:8; service:http; )
00592 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX function call access"; flow:to_client,established; file_data; content:"MSHierarchicalFlexGridLib.MSHFlexGrid",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x22|\x27MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Rows\s*|.*(?P=v)\s*\.\s*Rows\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x22|\x27MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x27)\s*\)(\s*\.\s*Rows\s*|.*(?P=n)\s*\.\s*Rows)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15102; rev:8; service:http; )
00593 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"0ECD9B64-23AA-11D0-B351-00A0C9055D8E",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q22>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0ECD9B64-23AA-11D0-B351-00A0C9055D8E\s*}?\s*(?P=q22)(\s|>).*(?P=id1)\s*\.\s*(Rows)|<object\s*[^>]*\s*classid\s*=\s*(?P<q23>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0ECD9B64-23AA-11D0-B351-00A0C9055D8E\s*}?\s*(?P=q23)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(Rows))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15100; rev:8; service:http; )
00593 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"0ECD9B64-23AA-11D0-B351-00A0C9055D8E",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q22>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0ECD9B64-23AA-11D0-B351-00A0C9055D8E\s*}?\s*(?P=q22)(\s|>).*(?P=id1)\s*\.\s*(Rows)|<object\s*[^>]*\s*classid\s*=\s*(?P<q23>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0ECD9B64-23AA-11D0-B351-00A0C9055D8E\s*}?\s*(?P=q23)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(Rows))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15100; rev:8; service:http; )
00594 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic FlexGrid ActiveX function call access"; flow:to_client,established; file_data; content:"MSFlexGridLib.MSFlexGrid",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MSFlexGridLib\.MSFlexGrid(\.\d)?\x22|\x27MSFlexGridLib\.MSFlexGrid(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*FormatString\s*|.*(?P=v)\s*\.\s*FormatString\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSFlexGridLib\.MSFlexGrid(\.\d)?\x22|\x27MSFlexGridLib\.MSFlexGrid(\.\d)?\x27)\s*\)(\s*\.\s*FormatString\s*|.*(?P=n)\s*\.\s*FormatString)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15098; rev:8; service:http; )
00594 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic FlexGrid ActiveX function call access"; flow:to_client,established; file_data; content:"MSFlexGridLib.MSFlexGrid",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MSFlexGridLib\.MSFlexGrid(\.\d)?\x22|\x27MSFlexGridLib\.MSFlexGrid(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*FormatString\s*|.*(?P=v)\s*\.\s*FormatString\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSFlexGridLib\.MSFlexGrid(\.\d)?\x22|\x27MSFlexGridLib\.MSFlexGrid(\.\d)?\x27)\s*\)(\s*\.\s*FormatString\s*|.*(?P=n)\s*\.\s*FormatString)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15098; rev:8; service:http; )
00595 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic FlexGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"6262D3A0-531B-11CF-91F6-C2863C385E30",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q27>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6262D3A0-531B-11CF-91F6-C2863C385E30\s*}?\s*(?P=q27)(\s|>).*(?P=id1)\s*\.\s*(FormatString)|<object\s*[^>]*\s*classid\s*=\s*(?P<q28>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6262D3A0-531B-11CF-91F6-C2863C385E30\s*}?\s*(?P=q28)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\s*\.\s*(FormatString))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15096; rev:8; service:http; )
00595 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic FlexGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"6262D3A0-531B-11CF-91F6-C2863C385E30",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q27>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6262D3A0-531B-11CF-91F6-C2863C385E30\s*}?\s*(?P=q27)(\s|>).*(?P=id1)\s*\.\s*(FormatString)|<object\s*[^>]*\s*classid\s*=\s*(?P<q28>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6262D3A0-531B-11CF-91F6-C2863C385E30\s*}?\s*(?P=q28)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\s*\.\s*(FormatString))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15096; rev:8; service:http; )
00596 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX function call access"; flow:to_client,established; file_data; content:"MsRDP.MsRDP",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MsRDP\.MsRDP(\.\d)?\x22|\x27MsRDP\.MsRDP(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*MsRdpClientShell\.RdpFileContents\s*|.*(?P=v)\s*\.\s*MsRdpClientShell\.RdpFileContents\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MsRDP\.MsRDP(\.\d)?\x22|\x27MsRDP\.MsRDP(\.\d)?\x27)\s*\)(\s*\.\s*MsRdpClientShell\.RdpFileContents\s*|.*(?P=n)\s*\.\s*MsRdpClientShell\.RdpFileContents)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-1929; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-044; classtype:attempted-user; sid:15863; rev:9; service:http; )
00596 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX function call access"; flow:to_client,established; file_data; content:"MsRDP.MsRDP",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MsRDP\.MsRDP(\.\d)?\x22|\x27MsRDP\.MsRDP(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*MsRdpClientShell\.RdpFileContents\s*|.*(?P=v)\s*\.\s*MsRdpClientShell\.RdpFileContents\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MsRDP\.MsRDP(\.\d)?\x22|\x27MsRDP\.MsRDP(\.\d)?\x27)\s*\)(\s*\.\s*MsRdpClientShell\.RdpFileContents\s*|.*(?P=n)\s*\.\s*MsRdpClientShell\.RdpFileContents)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-1929; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-044; classtype:attempted-user; sid:15863; rev:9; service:http; )
00597 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access"; flow:to_client,established; file_data; content:"4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(MsRdpClientShell\.RdpFileContents)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(MsRdpClientShell\.RdpFileContents))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-1929; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-044; classtype:attempted-user; sid:15861; rev:9; service:http; )
00597 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access"; flow:to_client,established; file_data; content:"4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(MsRdpClientShell\.RdpFileContents)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(MsRdpClientShell\.RdpFileContents))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-1929; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-044; classtype:attempted-user; sid:15861; rev:9; service:http; )
00598 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access"; flow:to_client,established; file_data; content:"OWC11.Spreadsheet",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC11\.Spreadsheet(\.\d)?\x22|\x27OWC11\.Spreadsheet(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC11\.Spreadsheet(\.\d)?\x22|\x27OWC11\.Spreadsheet(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15691; rev:7; service:http; )
00598 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access"; flow:to_client,established; file_data; content:"OWC11.Spreadsheet",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC11\.Spreadsheet(\.\d)?\x22|\x27OWC11\.Spreadsheet(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC11\.Spreadsheet(\.\d)?\x22|\x27OWC11\.Spreadsheet(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15691; rev:7; service:http; )
00599 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E559-0000-0000-C000-000000000046",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E559-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15689; rev:7; service:http; )
00599 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E559-0000-0000-C000-000000000046",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E559-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15689; rev:7; service:http; )
00600 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 10 Spreadsheet ActiveX function call access"; flow:to_client,established; file_data; content:"OWC10.Spreadsheet",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15687; rev:8; service:http; )
00600 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 10 Spreadsheet ActiveX function call access"; flow:to_client,established; file_data; content:"OWC10.Spreadsheet",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15687; rev:8; service:http; )
00601 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 10 Spreadsheet ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E541-0000-0000-C000-000000000046",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E541-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15685; rev:8; service:http; )
00601 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 10 Spreadsheet ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E541-0000-0000-C000-000000000046",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E541-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,tech