00301 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0A 43 6F 6E 74 65 6E 74 2D 52 61 6E 67 65 3A 0D 09 09 09 09 09 09 09 09 09 0A 0D 0A 20 20|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21993; rev:2; service:http; )
00302 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 20 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0A 43 6F 6E 74 65 6E 74 2D 52 61 6E 67 65 3A 0A 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21992; rev:2; service:http; )
00303 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 2F 2E 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0D 09 0A 0D 0A 20 20|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21991; rev:2; service:http; )
00304 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"Content-Encoding|3A|deflate",nocase; content:"|5C|Content-Range|3A 0D 0A 0D 0A 0D 0A 09| |09 09| |09| |09 09 09 09 09| |09 09| |09| |09 09| |09 09| |09 09 09| |09| |09| |09| |09| |09 09 09| |09 09| |09| |09 09 09| |09| |09| |09| |09 09 09 09 09 09| |09 09| |09|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:16149; rev:7; service:http; )
00308 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt"; flow:to_client,established; content:"document.writeln|28 28|block.length|2B|memory|5B|0|5D 2E|length|2A|300|29 29 3B|"; content:"child_creator.click|28 29 3B|",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18523; rev:5; service:http; )
00309 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"child_creator|20 3D 20|document|2E|createElement|28 22 3C|A target|3D 27|_blank|27|"; content:"document.body.insertBefore|28|child_creator|29 3B|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18522; rev:5; service:http; )
00310 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"child_element|20 3D 20|child|2E|document|2E|createElement|28 22 22 29 3B|"; content:"child_element|2E|appendChild|28|parent_element|29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18521; rev:5; service:http; )
00311 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt"; flow:to_client,established; content:"try { window.open().document.appendChild(document)|3B| } catch(e) {}"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18520; rev:6; service:http; service:imap; service:pop3; )
00312 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"filler|20 2B 3D 20|unescape|28 22 25|u0000|25|u0000"; content:"obj|2E|insertBefore|28|document|2E|createElement|28|filler|29 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18519; rev:5; service:http; )
00313 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML comment creation attempt"; flow:to_client,established; content:"|61 00 72 00 65 00 6E 00 74 00 5F 00 65 00 6C 00 65 00 6D 00 65 00 6E 00 74 00 2E 00 61 00 70 00 70 00 65 00 6E 00 64 00 43 00 68 00 69 00 6C 00 64 00 28 00 64 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 2E 00 63 00 72 00 65 00 61 00 74 00 65 00 43 00 6F 00 6D 00 6D 00 65 00 6E 00 74 00 28 00 73 00 4D 00 53 00 48 00 54 00 4D 00 4C 00 5F 00 68 00 65 00 61 00 70 00 5F 00 73 00 70 00 72 00 61 00 79 00 29 00 29 00 3B 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18518; rev:6; service:http; )
00389 alert tcp $EXTERNAL_NET 80 -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Windows ShellExecute and Internet Explorer 7 url handling code execution attempt"; flow:to_client,established; content:"BEGIN|3A|VCARD"; pcre:"/^URL\x3b\w+\x3amailto\x3a[^\n]*%[^\n]*\.(cmd|bat)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:12664; rev:7; service:http; )
00465 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_client,established; content:"offsetParent",fast_pattern; content:"null",within 10,nocase; content:"createElement"; content:"datalist",within 20; content:"createElement"; content:"table",within 20; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26668; rev:1; service:http; service:imap; service:pop3; )
00538 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Works WkImgSrv.dll ActiveX control code execution attempt"; flow:to_client,established; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; file_data; content:"WksPictureInterface"; pcre:"/var num \x3D (-1|168430090)\x3B/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28820; reference:cve,2008-1898; classtype:attempted-user; sid:16740; rev:4; service:http; )
00554 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Works WkImgSrv.dll ActiveX control exploit attempt"; flow:to_client,established; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; file_data; content:"WksPictureInterface"; content:"num|20 3D 20|168430090"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28820; reference:cve,2008-1898; classtype:attempted-user; sid:20901; rev:4; service:http; )
00693 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole Exploit Kit JavaScript carat string splitting with hostile applet"; flow:to_client,established; content:"<html><body><applet|20|code=",nocase; content:"|20|archive=",distance 0,nocase; content:"display|3A|none|3B|",distance 0,nocase; pcre:"/([@\x2da-z0-9]+?\x5e){10}/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21438; rev:4; service:http; )
00962 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Unknown Malvertising Exploit Kit stage-1 redirect"; flow:to_client,established; content:"<html><body><script>|0A|var ",fast_pattern; content:"document.createElement(",within 80; content:".setAttribute(|22|archive|22|, ",within 65; content:".setAttribute(|22|codebase|22|, ",within 65; content:".setAttribute(|22|id|22|, ",within 65; content:".setAttribute(|22|code|22|, ",within 65; content:"|22|)|3B 0A|document.body.appendChild(",within 65; content:"</script>|0A|</body>|0A|</html>|0A 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:27086; rev:1; service:http; )
00988 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"|E0 00 22 01 0B 01 0A 00 00 64 00 00 00 2E 00 00|",fast_pattern; content:"|00 B0 00 00 50 0E 00 00 30 15 00 00 1C 00 00 00|",within 16,distance 112; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0151; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-024; classtype:attempted-user; sid:26590; rev:2; service:http; service:imap; service:pop3; )
01723 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime Environment Pack200 Decompression Integer Overflow attempt"; flow:to_client,established; http_header; content:"Content-Encoding|3A|",nocase; content:"pack200-gzip",within 20,nocase; file_data; pkt_data; content:"|CA FE D0 0D|"; content:"|C5 FC FC FC FC 00 D6|",within 50,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32608; reference:cve,2008-5352; classtype:misc-attack; sid:17562; rev:8; service:http; )
01739 alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime Environment Pack200 Decompression Integer Overflow"; flow:to_client,established; content:"Content-Encoding: pack200-gz",nocase; content:"|9A 10 3A C7 39 E2 E6 DE BE F7 71 BA 7C 22 5E D7|"; content:"|49 F4 EF C7 73 9F 9B 9C 8B 32 A7 88 58 FF 13 31|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,34240; reference:cve,2009-1095; classtype:attempted-user; sid:17522; rev:6; service:http; service:imap; service:pop3; )
01833 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime HTTP error response buffer overflow"; flow:to_client,established; flowbits:isset,quicktime_agent; content:"HTTP/1.1 404"; isdataat:256,relative; content:!"|0A|",within 256; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,27225; reference:cve,2008-0234; classtype:attempted-user; sid:13516; rev:7; service:http; )
02233 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER overly large XML file MSXML heap overflow attempt"; flow:to_client,established; file_data; http_header; content:"Content-Length|3A|"; pcre:"/^Content-Length\x3a\s*0*([1-9][0-9]{8}|[7-9][0-9]{8})/mi"; pkt_data; content:"<?xml ",depth 100,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0006; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-002; classtype:attempted-user; sid:25270; rev:2; service:http; )
02404 alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Loaderz Web Shell"; flow:to_client,established; content:"/* Loader|27|z WEB Shell v"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:23829; rev:1; service:http; )
02405 alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Alsa3ek Web Shell"; flow:to_client,established; content:"<?php /* Cod3d by Mr.Alsa3ek and Al-Swisre"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:23830; rev:1; service:http; )
02438 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION known JavaScript obfuscation routine"; flow:to_client,established; content:"String.fromCharCode|28|parseInt"; content:"String.fromCharCode|28|",within 1000; content:".charCodeAt|28|",within 100; content:".replace",within 100; pcre:"/\.replace\x28\x2F[^\x2F]+\x2F[A-Z]*\x2C(\x22\x22|\x27\x27)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:attempted-user; sid:17111; rev:6; service:http; )
02554 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR DarkSeoul related wiper"; flow:to_client,established; content:"JO840112-CRAS8468-11150923-PCI8273V"; file_data; content:"|5F 0F 94 C0 5E C9 C3 53 56 8B 74 24 0C 33 DB 57 39 1E 7E 19 8D BE 78 01 00 00 FF 37 56 FF 96 A0|"; content:"taskkill /F /IM pasvc.exe"; content:"GIt%"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/en/file/510f83af3c41f9892040a8a80b4f3a4736eebee2ec4a7d4bfee63dbe44d7ecff/analysis/; classtype:trojan-activity; sid:26326; rev:1; service:http; service:imap; service:pop3; )
02556 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR Jokra dropper download"; flow:to_client,established; content:"|05 C4 89 84 24 70 1A 30 5B 82 44 8D 79 22 75 04 67 09 4E 33 7B|"; file_data; content:"|93 4C C8 83 0C B8 72 42 06 39 F4 02 84 DB 02 F8 CE 80 1C|",nocase; content:"UPX!",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/en/file/422c767682bee719d85298554af5c59cf7e48cf57daaf1c5bdd87c5d1aab40cc/analysis/; classtype:trojan-activity; sid:26332; rev:1; service:http; service:imap; service:pop3; )
02749 alert tcp $HOME_NET 27374 -> $EXTERNAL_NET any ( msg:"MALWARE-CNC SubSeven client connection to server"; flow:to_client,established; content:"connected.",nocase; content:"Legends",distance 0,fast_pattern,nocase; pcre:"/^connected\x2e[^\x0D\x0A]*20\d\d[^\x0D\x0A]*ver\x3A\s+Legends\s2\x2e1/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.threatexpert.com/report.aspx?md5=da8d7529a8a37335064ade9d04df08ad; classtype:trojan-activity; sid:15938; rev:6; service:http; )
03090 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.MiniFlame C&C command response attempt"; flow:to_client,established; flowbits:isset,malware.miniflame; content:"|0D 0A|<!-- "; pcre:"/^<!--\s+[\w]{52,}\s+-->\r\n/smi"; flowbits:unset,malware.miniflame; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24594; rev:1; service:http; service:imap; service:pop3; )
03138 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Java.Trojan.FlashPlayer file download attempt"; flow:to_client,established; http_header; content:"filename=",nocase; pkt_data; content:"FlashPlayer.jar",within 17,fast_pattern; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/9324faaed6c7920f1721b60f81e1b04fbe317dedf9974bdfa02d8fcd1f0be18f/analysis/; classtype:trojan-activity; sid:25764; rev:2; service:http; service:imap; service:pop3; )
03143 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; http_header; content:"-2013.zip|0D 0A|"; content:"-",within 1,distance -14; file_data; pkt_data; content:"-2013.exe"; content:"-",within 1,distance -14; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1; service:http; )
03146 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; content:"_0000=",fast_pattern; http_cookie; content:"SL_"; content:"_0000=",within 8; metadata:impact_flag red,policy security-ips drop,ruleset community,service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21845; rev:8; service:http; )
03150 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; http_stat_code; content:"302"; pkt_data; content:"=_"; content:"_|5C 3B| domain=",within 11,distance 1; http_cookie; pcre:"/^[a-z]{5}\d=_\d_/"; metadata:impact_flag red,policy security-ips drop,ruleset community,service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21851; rev:6; service:http; )
03402 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"PUA-ADWARE Adware.MediaGetInstaller inbound connection - destination ip infected"; flow:to_client,established; content:"MediagetDownloaderInfo"; http_cookie; content:"MediagetDownloaderInfo"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/72e86852d56b35cf19ae86c9fb37f8b65b8e3038a9a1e2c77532f254fe4f662a/analysis/; classtype:misc-activity; sid:21644; rev:3; service:http; )
03602 alert tcp $EXTERNAL_NET 443 -> $HOME_NET any ( msg:"SERVER-ORACLE Oracle Secure Backup exec_qr command injection attempt"; flow:to_client,established; content:"|02 07 02 03 01 00 01 A3 81 88 30 81 85 30 1D 06 03 55 1D 0E 04 16 04 14 BE CA 3E 52 2D 3D CE 89|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-5448; classtype:attempted-user; sid:24907; rev:1; service:http; service:imap; service:pop3; )
03741 alert tcp $EXTERNAL_NET [80,8090] -> $HOME_NET any ( msg:"SERVER-OTHER Nullsoft Winamp Ultravox streaming malicious metadata"; flow:to_client,established; content:"misc/ultravox"; content:"<name>",distance 0,nocase; isdataat:266,relative; content:!"</name>",within 256; pcre:"/Content-Type\x3A\s*misc/ultravox.+?(\r?\n){2}\x5A.9\x01/is"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0065; classtype:attempted-user; sid:13521; rev:6; service:http; )
END OF CODE