00249 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-CHROME Google Chrome GURL cross origin bypass attempt - 1"; flow:to_client,established; file_data; content:"src=|22|https|3A 2F 2F|www.google.com|2F|accounts|2F|ManageAccount?hl=fr|22|"; content:"javascr|5C|u0009ipt|3A|alert|28|document.cookie"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39813; reference:cve,2010-1663; classtype:attempted-user; sid:16667; rev:4; service:http; )
00250 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-CHROME Google Chrome GURL cross origin bypass attempt - 2"; flow:to_client,established; file_data; content:"src=|22|http|3A 2F 2F|www.google.ca|2F|language_tools?hl=en|22|"; content:"window.open|28 27|j|5C|navascript|3A|alert|28|document.cookie|29 27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39813; reference:cve,2010-1663; classtype:attempted-user; sid:16668; rev:3; service:http; )
00251 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-CHROME Google Chrome float rendering corruption attempt"; flow:to_client,established; file_data; content:"display: list-item"; content:"display: -webkit-inline-box"; content:"removeChild|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1804; classtype:attempted-user; sid:19710; rev:5; service:http; )
00252 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt"; flow:to_client, established; file_data; content:"first-letter",nocase; content:"direction",distance 0,nocase; content:"rtl",within 8; content:"whitespace |3D| ",distance 0,nocase; content:"pre",within 10,nocase; content:"|3C|span",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35326; reference:cve,2009-1392; classtype:attempted-user; sid:17613; rev:5; service:http; )
00253 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt"; flow:to_client,established; file_data; content:"cobj|2E|id=|22|testcase|22|",fast_pattern,nocase; content:"document|2E|body|2E|appendChild|28|cobj|29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3765; classtype:attempted-user; sid:19292; rev:4; service:http; )
00254 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript handler race condition memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E 3C|x|3E|",depth 70; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19488; reference:cve,2006-4253; classtype:attempted-user; sid:18486; rev:3; service:http; )
00255 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox JavaScript handler race condition memory corruption attempt"; flow:to_client,established; file_data; content:"|3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1 3C 2F|x|20 22 B6 22 3E D1|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19488; reference:cve,2006-4253; classtype:attempted-user; sid:18485; rev:3; service:http; )
00256 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox new function garbage collection remote code execution attempt"; flow:to_client,established; file_data; content:"try|20 7B 20|eval|28|e|2B 27 28|buf|2C|buf|29 27 29 3B 20 7D|"; content:"try|20 7B 20|eval|28|e|2B 27 28|buf|2C|buf|2C|buf|29 27 29 3B 20 7D|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19181; reference:cve,2006-3803; classtype:attempted-user; sid:18302; rev:3; service:http; )
00257 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox GeckoActiveXObject memory corruption attempt"; flow:to_client,established; file_data; content:"str|2B 3D|str|3B|"; content:"window.GeckoActiveXObject|28|str|29 3B|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19181; reference:cve,2006-3803; classtype:attempted-user; sid:18301; rev:3; service:http; )
00258 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript deleted frame or window reference attempt"; flow:to_client,established; file_data; content:"editEl|20 3D 20|window|2E|el|3B|"; content:"editEl|2E|innerHTML|20 3D 20|value|3B|",distance 0; content:"editEl|2E|disabled|20 3D 20|false|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-3801; reference:url,osvdb.org/show/osvdb/27558; classtype:attempted-user; sid:18263; rev:3; service:http; )
00259 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript engine function arguments memory corruption attempt"; flow:to_client,established; file_data; content:"|3B|i<25|3B|i++|29| fe += fe|3B|"; content:"fu=new Function|28 0A|"; content:"fe, fe, fe, fe, fe, fe, fe,",within 30; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19181; reference:cve,2006-3806; classtype:attempted-user; sid:18262; rev:3; service:http; )
00260 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript engine String.toSource memory corruption attempt"; flow:to_client,established; file_data; content:"var rr=",nocase; content:".toSource|28 29 3B|",within 12,distance 1; content:"for|28|i=0|3B|i<1024|2A|1024|3B|i++|29| meg += |22|v|22 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19181; reference:cve,2006-3806; classtype:attempted-user; sid:18261; rev:3; service:http; )
00261 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox InstallTrigger.install memory corruption attempt"; flow:to_client,established; file_data; content:"InstallTrigger.install.call|28|document|2C 22|a|22 2C 22|a|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17516; reference:cve,2006-1790; classtype:attempted-user; sid:18187; rev:3; service:http; )
00262 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox PKCS11 module installation code execution attempt"; flow:to_client,established; file_data; content:"window.pkcs11.addmodule|28|"; pcre:"/(caption,\x22\x5c\x5c\x5c|\x22\x5cn\x5cn\x5cn\x22\x20\x2b\x20str)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36343; reference:cve,2009-3076; classtype:attempted-user; sid:16142; rev:4; service:http; )
00263 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox ClearTextRun exploit attempt"; flow:to_client,established; file_data; content:"white-space|3A| pre"; content:"getElementById|28|'para'|29|.childNodes[0].splitText|28|11|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34743; reference:cve,2009-1313; classtype:attempted-user; sid:17719; rev:3; service:http; )
00264 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox IFRAME style change handling code execution"; flow:to_client,established; file_data; content:"contentDocument.designMode",nocase; content:"addEvenListener|28|",distance 0,nocase; content:"iframe.style.position",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28448; reference:cve,2008-1236; reference:url,secunia.com/advisories/29526; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-15.html; classtype:attempted-user; sid:17570; rev:3; service:http; )
00265 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox UTF-8 URL Handling Stack Buffer Overflow"; flow:to_client,established; file_data; content:"<a href=|22 01 78 78|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31346; reference:cve,2008-0016; classtype:attempted-user; sid:17519; rev:4; service:http; )
00266 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox JIT escape function memory corruption attempt"; flow:to_client,established; file_data; content:"=data.charAt("; content:"function",nocase; content:"(data)",within 50,nocase; content:"if(",distance 0,nocase; content:"=='",within 125; content:"'",within 1,distance 1; content:" = escape(",within 135; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35660; reference:cve,2009-2477; reference:url,www.kb.cert.org/vuls/id/443060; classtype:attempted-user; sid:15997; rev:6; service:http; )
00267 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox browser engine memory corruption attempt"; flow:to_client,established; file_data; content:"|3A|first-letter {float|3A| ",fast_pattern; content:".setAttribute|28|'style', 'display|3A| -moz-box|3B| '|29 3B|"; content:".style.display= 'none'|3B|",within 60; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36866; reference:cve,2009-3382; classtype:attempted-user; sid:16347; rev:3; service:http; )
00268 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox ClearTextRun exploit attempt"; flow:to_client,established; file_data; content:"white-space|3A| pre"; content:"<script>|0A|function doe|28 29|"; content:"getElementById|28|'a'|29|.childNodes[0].splitText|28|1|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34743; reference:cve,2009-1313; classtype:attempted-user; sid:16284; rev:3; service:http; )
00269 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 3.5 unicode stack overflow attempt"; flow:to_client,established; file_data; content:"i = Math.ceil(Math.log(num) / Math.LN2),"; content:"return res.slice(0, str.length * num)"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35707; reference:cve,2009-2479; classtype:attempted-user; sid:15699; rev:8; service:http; )
00270 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox XBL Event Handler Tags Removal memory corruption attempt"; flow:to_client,established; file_data; content:"XUL_NS"; content:"child.parentNode.removeChild",distance 0; content:"onselect=|22|deleteChild|28|event.originalTarget|29|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26132; reference:cve,2007-5339; classtype:attempted-user; sid:15383; rev:3; service:http; )
00271 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt"; flow:to_client,established; file_data; content:"|2E|view|2E|selection",nocase; content:"|2E|invalidateSelection",distance 0,nocase; pcre:"/\x2Eview\x2Eselection.*?\x2Etree\s*\x3D\s*null.*?\x2Einvalidate/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-0073; reference:url,www.mozilla.org/security/announce/2011/mfsa2011-13.html; classtype:attempted-user; sid:20072; rev:2; service:http; )
00272 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption"; flow:to_client,established; file_data; content:"var tags = new Array|28 22|audio|22|, |22|a|22|, |22|base|22 29|",nocase; content:"var html = |22|<|22| + tags[i] + |22| |22| + atts[j]",distance 0,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3765; classtype:attempted-user; sid:17804; rev:6; service:http; )
00273 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based"; flow:to_client,established; file_data; content:"wOFFOTTO"; content:"|00 00|",within 2,distance 6; pcre:"/^.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/isR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38298; reference:cve,2010-1028; reference:url,www.kb.cert.org/vuls/id/964549; classtype:attempted-user; sid:16502; rev:3; service:http; )
00274 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - TrueType"; flow:to_client,established; file_data; content:"wOFF|00 01 00 00|"; content:"|00 00|",within 2,distance 6; pcre:"/^.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/isR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38298; reference:cve,2010-1028; reference:url,www.kb.cert.org/vuls/id/964549; classtype:attempted-user; sid:16501; rev:3; service:http; )
00275 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox ConstructFrame with floating first-letter memory corruption attempt"; flow:to_client,established; file_data; content:"first-letter",nocase; content:"float: right",distance 0,nocase; content:"parentNode.removeAttribute(|22|class|22|)"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35765; reference:cve,2009-2462; classtype:attempted-user; sid:17642; rev:5; service:http; )
00276 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript array.splice memory corruption attempt"; flow:to_client,established; file_data; content:"a|5B|6|5D 20 3D 20 22|toto|22 3B|"; content:"a|2E|splice|28|6|2C 20|1|29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33990; reference:cve,2009-0773; classtype:attempted-user; sid:17399; rev:3; service:http; )
00277 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox Javascript array.splice memory corruption attempt"; flow:to_client,established; file_data; content:"a|5B|10|5D 20 3D 20 22|AAAAAAAAAA|22 3B|"; content:"a|2E|splice|28|10|2C 20|1|29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33990; reference:cve,2009-0773; classtype:attempted-user; sid:17398; rev:3; service:http; )
00278 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox XUL tree element code execution attempt"; flow:to_client,established; file_data; content:"selection|2E|timedSelect|28|1|2C|8000|29 3B|"; content:"tree|2E|view|2E|selection|3D|null|3B|",distance 0; content:"delete|20|tree",distance 0; content:"delete|20|selection"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34181; reference:cve,2009-1044; classtype:attempted-user; sid:17258; rev:3; service:http; )
00279 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt"; flow:to_client,established; file_data; content:"type=",nocase; content:"file",within 7,distance 1,nocase; content:"getElement",nocase; pcre:"/var\s*(?P<varname>[^\s]*)\s*\x3d\s*[^\x2E]*\x2EgetElement[^\x28]*\x28(\x22|\x27)(?P<elementid>[^\x22\x27]*)(\x22|\x27)\x29.*(?P=varname)\x2etype\s*\x3D\s*(\x22|\x27)(?!file).*id\s*\x3d\s*(\x22|\x27)(?P=elementid)[^>]*type\s*=\s*(\x22|\x27)file/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32281; reference:cve,2008-5021; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-55.html; classtype:attempted-user; sid:17603; rev:3; service:http; )
00280 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox file type memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xul; file_data; content:"style="; content:"<treechildren",nocase; content:"<treechildren",distance 0,nocase; content:"ordinal"; content:"event.target.parentNode.removeChild"; pcre:"/onoverflow\s*?=\s*?(\x22|\x27)\s*?event\.target\.parentNode\.removeChild/smi"; pcre:"/<treechildren.*?ordinal=.*?<treechildren/smi"; pcre:"/<tree.*?tree(?!children).*?<treechildren.*?<treechildren/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,32281; reference:cve,2008-5016; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-52.html; classtype:attempted-user; sid:17601; rev:9; service:http; service:imap; service:pop3; )
00281 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox IFRAME style change handling code execution"; flow:to_client,established; file_data; content:"iframe",nocase; content:"iframe.contentDocument.designMode",nocase; content:"addEventListener",nocase; pcre:"/addEventListener\s*\(\s*(?P<q>\x22|\x27|)(mouse(move|down)|keydown)(?P=q)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28448; reference:cve,2008-1236; reference:url,secunia.com/advisories/29526; reference:url,www.mozilla.org/security/announce/2008/mfsa2008-15.html; classtype:attempted-user; sid:13838; rev:7; service:http; )
00282 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt"; flow:to_client,established; file_data; content:"<xsl|3A|key name=|22|label|22| match=|22|item2|22| use=|22|w00t|28 29 22|/>"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:bugtraq,34235; reference:cve,2009-1169; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-12.html; classtype:attempted-user; sid:15431; rev:8; service:http; )
00283 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 3 xsl parsing heap overflow attempt"; flow:to_client,established; file_data; content:"<xsl|3A|key name=|22|poc|22| match=|22|nodeB|22| use=|22|does_not_exist|28 29 22|/>"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:bugtraq,34235; reference:cve,2009-1169; reference:url,www.mozilla.org/security/announce/2009/mfsa2009-12.html; classtype:attempted-user; sid:17444; rev:6; service:http; )
00284 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"a.length=0xffffffff",nocase; content:"a.reduceRight|28|callback|2C|0|29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:19713; rev:2; service:http; )
00285 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"a.length=0x81000002",nocase; content:"a.reduceRight|28|callback|2C|0|29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:19714; rev:2; service:http; )
00286 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products CSS rendering out-of-bounds array write attempt"; flow:to_client,established; file_data; content:"|25 6E 25 6E 25 6E 25 6E 25 6E 25 6E 22 45 57 49 44 54 48 3D 6C 65 66 74 20 53 49 5A 45 3D 8B 8B 8B 8B 8B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-1739; reference:url,osvdb.org/show/osvdb/24660; classtype:attempted-user; sid:18077; rev:4; service:http; )
00287 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products CSS rendering out-of-bounds array write attempt"; flow:to_client,established; file_data; content:"|3C|HR WIDTH|3D|4444444 COLOR|3D 22 23|000000|22 3E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-1739; reference:url,osvdb.org/show/osvdb/24660; classtype:attempted-user; sid:18078; rev:4; service:http; )
00288 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products frame comment objects manipulation memory corruption attempt"; flow:to_client,established; file_data; content:"|25|3C|21 2D 2D 25|20Comment|25|20|2D 2D 25|3E|25|3Csvg|25|20xmlns|3D 25|22http|3A 2F 2F|www|2E|w3|2E|org|2F|2000|2F|svg|25|22|25|20version|3D 25|221|2E|1|25|22|25|20baseProfile|3D 25|22full|25|22|25|3E|25|3C|2F|svg|25|3E"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,21668; reference:cve,2006-6504; classtype:attempted-user; sid:18296; rev:3; service:http; )
00289 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt"; flow:to_client,established; file_data; content:"|3C|q style|3D 22|position|3A|relative|3B 22 3E 3C|q style|3D 22|position|3A|relative|3B 22 3E|"; content:"|2E|style|2E|position|3D 27|static|27 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,16476; reference:cve,2006-0294; classtype:attempted-user; sid:18286; rev:3; service:http; )
00290 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products EscapeAttributeValue integer overflow attempt"; flow:to_client,established; file_data; content:"alert|28|xx.toXMLString"; content:"for|28|i=0|3B|i<|28|1024*1024|29|/2|3B|i++|29| m += |22 5C|n|22 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,16476; reference:cve,2006-0297; classtype:attempted-user; sid:18250; rev:3; service:http; )
00291 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products -moz-grid and -moz-grid-group display styles code execution attempt"; flow:to_client,established; file_data; content:"|3C|button onclick|3D 22|document|2E|getElementsByTagName|28 27|row|27 29 5B|0|5D 2E|style|2E|display|3D 27 2D|moz|2D|grid|2D|group|27 22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17516; reference:cve,2006-1738; classtype:attempted-user; sid:18186; rev:4; service:http; )
00292 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla products frame comment objects manipulation memory corruption attempt"; flow:to_client,established; file_data; content:"bb.appendChild|28|fr.childNodes[4]|29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,21668; reference:cve,2006-6504; classtype:attempted-user; sid:15999; rev:4; service:http; )
00293 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Products SVG Layout Engine Index Parameter memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementById|28 22|path|22 29|.pathSegList.getItem|28|-1|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,24242; reference:cve,2007-2867; classtype:attempted-user; sid:15164; rev:4; service:http; )
00294 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla multiple products CSSValue array memory corruption attempt"; flow:to_client,established; file_data; content:"counter|2D|reset|3A|"; content:"counter|2D|increment|3A|",distance 0; content:"|3C|ol|20|id|3D 22|id1|22 3E 0A|",distance 0; content:"|3C|li|3E 3C 2F|li|3E 0A 3C|li|3E 3C 2F|li|3E 0A 3C|li|3E 3C 2F|li|3E 0A|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,29802; reference:cve,2008-2785; classtype:attempted-user; sid:17630; rev:3; service:http; )
00295 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"len = 0xffffffff"; content:".reduceRight"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:24187; rev:1; service:http; )
00296 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:".length = 2197815302"; content:".reduceRight"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:24188; rev:1; service:http; )
00298 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Multiple browser marquee tag denial of service attempt"; flow:to_client,established; file_data; content:"document.write|28 27|<html><marquee><h1>|27|+buffer+buffer|29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,18165; reference:cve,2006-2723; classtype:attempted-dos; sid:18188; rev:4; service:http; )
00299 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt"; flow:to_client,established; file_data; content:"readystatechange"; content:"addEventListener"; content:"ArrayBuffer("; content:"Int32Array"; content:"window.stop"; content:!"ArrayBufferView"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1690; reference:url,pastebin.mozilla.org/2777139; classtype:attempted-user; sid:27568; rev:1; service:http; service:imap; service:pop3; )
00300 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer navcancl.htm url spoofing attempt"; flow:to_client,established; file_data; content:"ieframe.dll/navcancl.htm|23|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,22966; reference:cve,2007-1499; reference:cve,2007-1752; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:misc-attack; sid:11834; rev:15; service:http; )
00305 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt - unescaped"; flow:to_client,established; file_data; content:"%53%52%43%3d%5c%5c%26%23",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-078; classtype:attempted-user; sid:17401; rev:7; service:http; )
00306 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer Cross-Domain information disclosure attempt"; flow:to_client,established; file_data; content:"alert|28|myLink.styleSheet.cssText|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43709; reference:cve,2010-3330; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:19411; rev:4; service:http; )
00307 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onPropertyChange deleteTable memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementById|28|'colid1'|29 2E|onpropertychange|20|="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37891; reference:cve,2010-0244; classtype:attempted-user; sid:18951; rev:4; service:http; )
00314 alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer History.go method double free corruption attempt"; flow:to_client,established; file_data; content:"str2|20 3D 20|str|3B|"; content:"history|2E|go|28|str2|29 3B|",distance 0,fast_pattern; content:"str2|20 2B 3D 20|str|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34423; reference:cve,2009-0552; classtype:attempted-user; sid:18482; rev:3; service:http; )
00315 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:"|3C|input type|3D 22|checkbox|22 20|id|3D 27|c|27 3E|"; content:"r|3D|document|2E|getElementById|28 22|c|22 29 3B|",distance 0; content:"a|3D|r|2E|createTextRange|28 29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:18313; rev:4; service:http; )
00316 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt"; flow:to_client,established; file_data; content:"|26|lt|3B 2F|span|26|gt|3B 0A 26|lt|3B|pre|26|gt|3B|"; content:"|26|lt|3B|colgroup|26|gt|3B 0A 26|lt|3B|small|26|gt|3B 0A 26|lt|3B 2F|small|26|gt|3B 0A 26|lt|3B 2F|colgroup|26|gt|3B|",distance 0; content:"|26|lt|3B 2F|object|26|gt|3B 0A 26|lt|3B 2F|bdo|0A 26|lt|3B 2F|th|0A 26|lt|3B 2F|object",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-1188; classtype:attempted-user; sid:18306; rev:3; service:http; )
00317 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer script action handler overflow attempt"; flow:to_client,established; file_data; content:"for|28|s|3D 27 3C|a|20|onclick|3D 27 2C|i|3D|0|3B|"; content:"document|2E|write|28|s|2B 27 3E 27 29|",distance 0; content:"s|2B 3D|s|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17131; reference:cve,2006-1245; classtype:attempted-user; sid:18303; rev:3; service:http; )
00318 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer EMBED element memory corruption attempt"; flow:to_client,established; file_data; content:"<embed type=|27 22| + asMimeTypes.shift"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34424; reference:cve,2009-0553; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:17729; rev:6; service:http; )
00319 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt"; flow:to_client,established; file_data; content:"var nopsled",nocase; content:"cloneNode|28 29|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:17644; rev:6; service:http; )
00320 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer event handler memory corruption attempt"; flow:to_client,established; file_data; content:"activate = function ()"; pcre:"/on(before|de)activate\s*\x3d\s*function\s*\x28\x29\s*\x7b\s*call(back|malFunc)\x28\x29/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35224; reference:cve,2009-1530; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-019; classtype:attempted-user; sid:17566; rev:4; service:http; )
00321 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer Error Handling Code Execution"; flow:to_client,established; file_data; content:"for",nocase; content:"i=0|3B| i<20|3B| i++",within 30; content:"document.location.href=fileURL",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,25916; reference:cve,2007-3892; classtype:attempted-admin; sid:17549; rev:6; service:http; )
00322 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt"; flow:to_client,established; file_data; content:"adong7",nocase; content:"adong7",distance 0,nocase; content:"datasrc",distance 0,nocase; content:"datafld",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-078; classtype:attempted-user; sid:17402; rev:5; service:http; )
00323 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:".createTextRange|28 29 09 0A 0D 09 20 0A 20 0A 20 0D|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:17263; rev:5; service:http; )
00324 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer nested SPAN tag memory corruption attempt"; flow:to_client,established; file_data; content:"%3c%53%50%41%4e%20%44%41%54%41%53%52%43%3d%23%49%20%44%41%54%41%46%4c%44%3d%43%20%44%41%54%41%46%4f%52%4d%41%54%41%53%3d%48%54%4d%4c%3e"; content:"%3c%53%50%41%4e%20%44%41%54%41%53%52%43%3d%23%49%20%44%41%54%41%46%4c%44%3d%43%20%44%41%54%41%46%4f%52%4d%41%54%41%53%3d%54%45%58%54%3e",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:bugtraq,32721; reference:cve,2008-4844; classtype:attempted-user; sid:16605; rev:6; service:http; )
00325 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt"; flow:to_client,established; file_data; content:"<object",offset 0,nocase; pcre:!"/^[^>]*?data\s*=/Rmis"; content:"margin",nocase; pcre:"/<[^>]*?style\s*[>=].{1,1024}margin\s*\x3a\s*[^\x3b\x7d]*?-(\d{4}|1[0-9][1-9]|[2-9]\d\d)[ce][mx].*?[\x7b\x3b]/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1526; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:23836; rev:5; service:http; service:imap; service:pop3; )
00326 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 memory disclosure attempt"; flow:to_client,established; file_data; content:"X-UA-Compatible"; content:"content=",nocase; content:".postMessage("; pcre:"/<\s*?meta\s+.*?(http-equiv=(?P<q1>[\x22\x27])\s*?X-UA-Compatible\s*?(?P=q1).*?[^>]content=(?P<q2>[\x22\x27])\s*?IE=\s*?(EmulateIE9|Edge|9)\s*?(?P=q2)|content=(?P<q3>[\x22\x27])\s*?IE=\s*?(EmulateIE9|Edge|9)\s*?(?P=q3).*?[^>]http-equiv=(?P<q4>[\x22\x27])\s*?X-UA-Compatible\s*(?P=q4)).*?(\w\x2epostMessage\x28\s*.*?\x5c0.*?\x29|var\s+(?P<var>\w+)\s*?=\s*?(?P<q5>[\x22\x27]).*?[^\x3b]\x5c0.*?\x3b.*?\w\x2epostMessage\x28\s*?(?P=var))/imsO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1873; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:23128; rev:3; service:http; )
00327 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_client,established; file_data; content:"table-layout|3A|",fast_pattern,nocase; content:"fixed",within 7,nocase; pcre:"/<\s*script.*?(?P<var>\w+)\s*=\s*document\.getElementById\s*\x28\s*[\x22\x27](?P<col_id>[^\x22\x27]+)[\x22\x27]\s*\x29.*?((?P=var)\.span.*?<\s*table.*?<col[^>]*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?>.*?<\s*\/\s*table\s*>|<\s*col.*?id\s*=\s*[\x22\x27]?(?P=col_id)[^>]*?span\s*=\s*[\x22\x27]?\d)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:23124; rev:4; service:http; )
00328 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 DOM element use after free attempt"; flow:to_client,established; file_data; content:"onpropertychange"; pcre:"/<script[^>]*?for\s*=\s*[\x22\x27]?.*?event\s*=\s*[\x22\x27]?onpropertychange[\x22\x27]?[^>]*?>/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1877; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:23117; rev:4; service:http; )
00329 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNode use after free attempt"; flow:to_client,established; file_data; content:"srcElement.parentNode.removeChild"; pcre:"/\w+\.getElementById\(.*?\)\.attachEvent\(\s*(?P<q1>[\x22\x27]?)(?P<eventid>.*?)(?P=q1)\s*,\s*(?P<repro>\w+)\s*\)\;.*?var\s+(?P<target>\w+)\s*=\s*\w+\.getElementById\(.*?\)\;.*?(?P=target)\.fireEvent\(\s*(?P<q2>[\x22\x27]?)(?P=eventid)(?P=q2)\s*\)\;.*?(?P=target)\.fireEvent\(\s*(?P<q3>[\x22\x27]?)(?P=eventid)(?P=q3)\s*\)\;.*?function\s+(?P=repro)\s*\(\s*(?P<arg>\w+)\s*\)\s*{.*?(?P=arg)\.srcElement\.parentNode\.removeChild\(\s*(?P=arg)\.srcElement\s*\)\;.*?}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1878; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-037; classtype:attempted-user; sid:23116; rev:2; service:http; )
00330 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer SelectAll dangling pointer use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand|28|'selectAll'|29|",nocase; content:"document.execCommand|28|'selectAll'|29|",distance 0,nocase; content:"<body onload",distance 0,nocase; content:"onbeforedeactivate=",distance 0,nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0171; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-023; classtype:attempted-user; sid:22038; rev:2; service:http; service:imap; service:pop3; )
00331 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer vector graphics reference counting use-after-free attempt"; flow:to_client,established; file_data; content:"|3C 3F|IMPORT namespace=|22|",nocase; content:"implementation=|22|#default#VML|22 3E|",within 50,nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52906; reference:cve,2012-0172; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-023; classtype:attempted-user; sid:21793; rev:7; service:http; service:imap; service:pop3; )
00332 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer location and location.href cross domain security bypass vulnerability"; flow:to_client,established; file_data; content:"window.open",nocase; content:".location",nocase; pcre:"/\.location(\.href)?\s*=\s*new\s+String\s*\x28\s*\x22\s*javascript\x3A/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-2947; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-058; classtype:attempted-user; sid:14643; rev:9; service:http; )
00333 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer ExecWB security zone bypass attempt"; flow:to_client,established; file_data; content:"ExecWB",nocase; pcre:"/ExecWB\s*\x28\s*[^\x2c\x29]*(7|IDM_PRINTPREVIEW)[^\x29]+http\x3a\x2f\x2f/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30612; reference:cve,2008-2259; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-045; classtype:attempted-user; sid:17692; rev:6; service:http; )
00334 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer cross-domain navigation cookie stealing attempt"; flow:to_client,established; file_data; content:"setInterval|28|'xDomainAccess|28 29|',1|29 3B|",nocase; content:"setInterval|28 22|try { myWindow.location.href = victimLnk|3B|}",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-3091; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-019; classtype:misc-attack; sid:15529; rev:7; service:http; )
00335 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer XSS mouseevent PII disclosure attempt"; flow:to_client,established; file_data; content:"setcapture|28 29|"; content:"onclick=",nocase; content:"event",nocase; content:"srcelement.",distance 0,nocase; pcre:"/(?P<divname>\w+)\x2esetcapture\x28\x29.*?<div[^\x3e]*?(?P=divname)[^\x3e]*?onclick\x3d/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3473; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:web-application-activity; sid:14656; rev:11; service:http; )
00336 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer cross domain componentFromPoint memory corruption attempt"; flow:to_client,established; file_data; content:"|2E|componentFromPoint|28|",nocase; pcre:"/(\S+)\s+\x3d[^\x3b]*\x2e(createElement|getElementById)\x28.*\1\x2ecomponentFromPoint\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3475; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-058; classtype:attempted-user; sid:14657; rev:9; service:http; )
00337 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DXLUTBuilder ActiveX function call access"; flow:to_client,established; file_data; content:"DXTransform.Microsoft.DXLUTBuilder"; pcre:"/(?P<c>\w+)\s*=\s*(\x22DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x22|\x27DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x22|\x27DXTransform\.Microsoft\.DXLUTBuilder(\.\d)?\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-010; classtype:attempted-user; sid:13455; rev:10; service:http; )
00338 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DXLUTBuilder ActiveX clsid access"; flow:to_client,established; file_data; content:"1e54333b-2a00-11d1-8198-0000f87557db",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1e54333b-2a00-11d1-8198-0000f87557db\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0078; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-010; classtype:attempted-user; sid:13453; rev:10; service:http; )
00339 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer table layout access violation vulnerability"; flow:to_client,established; file_data; content:"|2E|getClientRects|28 29|",nocase; content:"|2E|clearAttributes|28 29|",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-2258; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-045; classtype:misc-attack; sid:13961; rev:8; service:http; )
00340 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer argument validation in print preview handling exploitation attempt"; flow:to_client,established; file_data; content:"|2E|ExecWB"; pcre:"/\x2eExecWB\s*\x28(IDM_PRINTPREVIEW|7)\x2c\s+(0|2)\x2C\s+\x22http/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30612; reference:cve,2008-2259; reference:url,osvdb.org/show/osvdb/47414; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-045; classtype:attempted-user; sid:13963; rev:10; service:http; )
00341 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer marquee object handling memory corruption attempt"; flow:to_client,established; file_data; content:"MARQUEE",nocase; content:"onstart",distance 0,nocase; pcre:"/\x3c\s*Marquee[^\x3e]*onstart\s*\x3D\s*\x22\s*document\x2e(write|writeln|open)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0554; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-014; classtype:attempted-user; sid:17462; rev:8; service:http; )
00342 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer EMBED element memory corruption attempt"; flow:to_client,established; file_data; content:"function|20|open|5F|win|28 29|"; content:"document|2E|body|2E|innerHTML|20 3D|",distance 0; content:"|22 3C|embed|20|type|3D 27|audio|2F|midi|27 3E|",distance 0; content:"setInterval|28 27|open|5F|win|28 29 27 2C 20|1|29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34424; reference:cve,2009-0553; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:17709; rev:7; service:http; )
00343 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated"; flow:to_client,established; dsize:<800; file_data; content:"<html>",nocase; content:"createElement",distance 0,nocase; content:"cloneNode",nocase; content:"clearAttributes",nocase; content:"CollectGarbage",nocase; content:"</html>",distance 0,nocase; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2009-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:16339; rev:7; service:http; )
00344 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt"; flow:to_client,established; file_data; content:"cloneNode",nocase; content:"clearAttributes",distance 0,nocase; pcre:"/(?P<cl>\w+)\s*=\s*(?P<o>\w+)\.cloneNode.*?(?P=o)\.clearAttributes.*?(?P=o)\s*=\s*null\s*\x3B.*?(?P=cl)\.click\s*\x3B/Osmi"; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2009-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:15304; rev:7; service:http; )
00345 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid object access memory corruption attempt"; flow:to_client,established; file_data; content:"createEventObject"; content:"innerHTML",distance 0; pcre:"/createEventObject[^\x7D]+innerHTML\s*\x3D\s*\S+[^\x7D]+(setTimeout|setInterval)/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:16367; rev:10; service:http; )
00347 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|7B|behavior",nocase; content:"url|28 23|default|23|userData|29|",distance 0,nocase; content:"setAttribute"; pcre:"/(?P<class>[A-Z\d_]+)\s*\x7Bbehavior\s*\x3a\s*url\x28\x23default\x23userData\x29.*?(?P<obj>[A-Z\d_]+)\x2EsetAttribute\x28[^,]+,\s*[A-Z]\x29.*?\x3cMARQUEE\s*id\x3d\x22(?P=obj)\x22\s*class\x3d\x22(?P=class)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0806; reference:url,support.microsoft.com/kb/980182; classtype:attempted-user; sid:17689; rev:7; service:http; )
00348 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|script|3E|",nocase; content:"|2E|style|2E|behavior",nocase; content:"|23|default|23|userData",distance 0,nocase; content:"setAttribute|28|"; pcre:"/(?P<obj>[A-Z\d_]+)\x2Estyle\x2Ebehavior\s*\x3D\s*\x22url\x28\x27\x23default\x23userData\x27\x29\x22.*?(?P=obj)\x2EsetAttribute\x28[^,]+,\s*[A-Z]/smi"; content:"|3C 2F|script|3E|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:17688; rev:7; service:http; service:imap; service:pop3; )
00349 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",distance 0,nocase; pcre:"/(?P<obj>[A-Z\d_]+)\.addBehavior\x28(?P<q1>\x22|\x27|)[^\x29]*\x23default\x23userData(?P=q1)\x29.*?(?P=obj)\.setAttribute\x28[^,]+,\s*[A-Z]/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16482; rev:9; service:http; service:imap; service:pop3; )
00350 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer boundElements arbitrary code execution"; flow:to_client,established; file_data; content:"event.boundElements"; content:"window.close"; pcre:"/on(load|click)\s*=\s*\x22?window\.close\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,42288; reference:cve,2010-2557; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-053; classtype:attempted-user; sid:17130; rev:7; service:http; )
00351 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 6 #default#anim attempt"; flow:to_client,established; file_data; content:"behavior:url('#default#anim')",nocase; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2010-3343; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-090; classtype:attempted-user; sid:18216; rev:8; service:http; )
00352 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer oversize recordset object cache size exploit attempt"; flow:to_client,established; file_data; content:"recordset"; content:".CacheSize",within 100; pcre:"/^\s*=\s/R"; byte_test:10,>,0x3ffffffe,0,relative,string; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-1117; reference:cve,2010-1118; reference:cve,2010-1259; reference:cve,2010-1262; reference:cve,2011-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-002; classtype:attempted-user; sid:18280; rev:10; service:http; )
00353 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer document.insertBefore memory corruption attempt"; flow:to_client,established; file_data; content:"document.insertBefore(document"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-0036; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-003; classtype:attempted-admin; sid:18404; rev:6; service:http; )
00354 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer contenteditable corruption attempt"; flow:to_client,established; file_data; content:"#default#time2"; content:"schemas-microsoft-com:time",nocase; content:"contenteditable",nocase; content:"|3A|transitionFilter",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:19237; rev:8; service:http; service:imap; service:pop3; )
00355 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML user after free attempt"; flow:to_client,established; file_data; content:"urn:schemas-microsoft-com:vml"; pcre:"/<v\s*\x3a\s*(image|imagedata|fill|stroke)\s+id\s*=\s*\x22([^\x22]*)\x22[^\x3E]*style\s*=\s*\x22[^\x22]*\x23default\x23VML[^\x22]*\x22.*document\x2EgetElementById\s*\x28\s*\x22\2\x22\s*\x29\x2Esrc\s+\x3D/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48173; reference:cve,2011-1266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-052; classtype:attempted-user; sid:19910; rev:5; service:http; )
00356 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer MDAC remote code execution attempt"; flow:to_client,established; file_data; content:"eval|28 22|r|3D|o|22|",nocase; content:"ect|28|n|2C 27 27 29|",distance 0,nocase; pcre:"/bj\x22[\x0D\x0A\s\t]*\x2b[\x0D\x0A\s\t]*\x22ect\x28n\x2C\x27\x27\x29/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-014; classtype:attempted-user; sid:19872; rev:2; service:http; )
00358 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 toStaticHTML XSS attempt"; flow:to_client,established; file_data; content:"toStaticHTML(",fast_pattern,nocase; content:"expression(",within 100,nocase; pcre:"/toStaticHTML\x28.*?[\x26\x22].=expression\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1252; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-user; sid:19239; rev:5; service:http; )
00359 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer innerHTML against incomplete element heap corruption attempt"; flow:to_client,established; file_data; content:"|3C|em id|3D 22|obj|22 3E|"; content:"obj|2E|outerHTML|2B 2B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0490; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:19147; rev:5; service:http; )
00360 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt"; flow:to_client,established; file_data; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|"; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|",distance 0; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|",distance 0; pcre:"/\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00([^\x22]+)\x22\x00(\x29\x00)?\x3B\x00[^\x40]*\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00\2\x22\x00(\x29\x00)?\x3B\x00[^\x40]*\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00\2\x22/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,45246; reference:cve,2010-3971; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-003; classtype:attempted-user; sid:18240; rev:9; service:http; )
00361 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:".createTextRange|28 29 3B|"; content:"<input type|3D 22|radio|22|",nocase; pcre:"/\x3Cinput\s+type\x3D\x22radio\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:17262; rev:4; service:http; )
00362 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client; file_data; content:".createTextRange|28 29 3B|"; content:"<input type|3D 22|checkbox|22|",nocase; pcre:"/\x3Cinput\s+type\x3D\x22checkbox\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:17261; rev:4; service:http; )
00363 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client; file_data; content:".createTextRange|28 29 3B|"; content:"<input type|3D 22|image|22|",nocase; pcre:"/\x3Cinput\s+type\x3D\x22image\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:16035; rev:6; service:http; )
00364 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 6/7 single line outerHTML invalid reference arbitrary code execution attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName|28|'STYLE'|29|[0].outerHTML"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:bugtraq,37085; reference:cve,2009-3672; reference:cve,2009-4054; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:16311; rev:6; service:http; )
00365 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer isindex buffer overflow attempt"; flow:to_client,established; file_data; content:"<style>",nocase; content:"<isindex>",distance 0,fast_pattern,nocase; content:"<style>",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,27668; reference:cve,2008-0076; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-010; classtype:attempted-user; sid:16063; rev:7; service:http; )
00366 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt"; flow:to_client,established; file_data; content:"datasrc",nocase; content:"datafld",nocase; pcre:"/<(?P<t1>button|div|input[^>]+?type\s*=\s*(\x22|\x27)button(\x22|\x27)|label|legend|marquee|param|span)\s+[^>]*(datasrc\s*=\s*(?P<q1>\x22|\x27|)(?P<d1>\S+)(?P=q1)\s+[^>]*datafld\s*=\s*(?P<q2>\x22|\x27|)(?P<d2>\S+)(?P=q2)|datafld\s*=\s*(?P<q3>\x22|\x27|)(?P<d3>\S+)(?P=q3)\s+[^>]*datasrc\s*=\s*(?P<q4>\x22|\x27|)(?P<d4>\S+)(?P=q4))[^>]*>(?!.*?<\/\s*(?P=t1)\s*>.*?<(?P=t1)).*?<(?P=t1)\s+[^>]*(datasrc\s*=\s*(?P<q5>\x22|\x27|)((?P=d1)|(?P=d3))(?P=q5)\s+datafld\s*=\s*(?P<q6>\x22|\x27|)((?P=d2)|(?P=d4))(?P=q6)|(datafld\s*=\s*(?P<q7>\x22|\x27|)(?P=d1)(?P=q7)\s+datasrc\s*=\s*(?P<q8>\x22|\x27|)(?P=d2)(?P=q8)))/Osi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32721; reference:cve,2008-4844; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-078; classtype:attempted-user; sid:15126; rev:11; service:http; )
00367 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CSS strings parsing memory corruption attempt"; flow:to_client,established; file_data; content:"text-decoration",nocase; pcre:"/\x2E[A-Z\d_]+\s*\x7b\s*text-decoration[^\x3A]*?\x7d/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0943; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:17645; rev:4; service:http; )
00369 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 DOM memory corruption attempt"; flow:to_client,established; file_data; content:"|22|X-UA-Compatible|22|",nocase; content:"content|3D 22|IE|3D|8|22|",distance 0,nocase; pcre:"/<\s*script.*?(?P<element2>\w+?)\x2Eparentnode\x2Eremovechild\x28(?P=element2)\x29/smi"; content:"|3C|ul|3E|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37188; reference:cve,2009-3671; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:21994; rev:3; service:http; )
00370 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CSS handling memory corruption attempt"; flow:to_client,established; file_data; content:"<style",nocase; content:"document.styleSheets[0].rules[0].style",distance 0,nocase; content:"document.styleSheets[0].cssText",distance 0,nocase; content:".font",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1919; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-034; classtype:attempted-user; sid:15732; rev:7; service:http; )
00371 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer table layout unitialized or deleted object access attempt"; flow:to_client,established; file_data; content:"<span style=|22|position|3A| absolute|3B|writing-mode|3A| bt-rl|22|>",nocase; content:"<table style=|22|float|3A|left|3B 22|>",within 60,nocase; content:"</table>",within 20,nocase; content:"</span>",within 40,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-2531; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:misc-activity; sid:16152; rev:6; service:http; )
00372 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onPropertyChange deleteTable memory corruption attempt"; flow:to_client,established; file_data; content:"res=document.getElementById|28|'column'|29 3B|"; content:"res.onpropertychange=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0244; classtype:misc-activity; sid:16376; rev:5; service:http; )
00373 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer navigating between pages race condition attempt"; flow:to_client,established; file_data; content:"function set_timers|28 29|"; content:"setInterval|28|'flip_page|28 29|'",within 40; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0551; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:15458; rev:6; service:http; )
00374 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted/unitialized object memory corruption attempt"; flow:to_client,established; file_data; content:"<script",nocase; content:"var arr1=new Array",distance 1; content:"history.go|28|arr1[1]|29|",distance 1; content:"arr1[i] += temp",distance 1; content:"</script",distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0552; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:15459; rev:6; service:http; )
00375 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt - public exploit"; flow:to_client,established; file_data; content:"100 112 99 118 109 102 110 117 46 100 114 102 97 117 101 70 118 102 110 117 79 99 106 102 99 117 40 102 118 117 41 60 32 101 111 100 117 110 101 111 116 47 103 102 116 70 108 102 109 102 110 117 66 122 73 101 40 35 115 113 49 35 41 47 105 111 110 102 114 73 84 78 76 62 34 35 59 120 105 111 100 112 119 47 115 102 116 74 110 117 101 115 118 98 108"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:16369; rev:7; service:http; )
00376 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer security zone restriction bypass attempt"; flow:to_client,established; file_data; content:"|2F|test|2F|setScript|2E|htm|5C 3F 5C 3C|script language|3D 5C 27|vbscript|5C 27| src|3D 5C 27|http|3A 2F 2F 3C|server|3E 2F|test|2F|test|2E|vbs|5C 27 5C 3E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-035; classtype:attempted-user; sid:16637; rev:7; service:http; )
00377 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid pointer memory corruption attempt"; flow:to_client,established; file_data; content:"|2E|test|20 7B|behavior|3A 20|url|28 23|default|23|userData|29|",nocase; content:"|39 39 5C 78 39 35 5C 78 39 62 5C 78 63 63 5C 78|",distance 0; content:"|39 64 5C 78 63 39 5C 78 38 38 5C 78 64 38 5C 78 39 65 5C 78 39 64 5C 78 39 35 5C 78 39 64 5C 78|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-018; classtype:attempted-user; sid:17687; rev:7; service:http; )
00378 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid pointer memory corruption attempt"; flow:to_client,established; file_data; content:"|2E|test|20 7B|behavior|3A 20|url|28 23|default|23|userData|29|",nocase; content:"|61 66 5C 78 61 63 5C 78 62 64 5C 78 65 64 5C 78|",distance 0; content:"|62 64 5C 78 65 64 5C 78 61 65 5C 78 66 39 5C 78 61 62 5C 78 61 63 5C 78 62 64 5C 78 65 64 5C 78|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-018; classtype:attempted-user; sid:17686; rev:7; service:http; )
00379 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid pointer memory corruption attempt"; flow:to_client,established; file_data; content:"setAttribute"; content:"document.location",distance 0; content:"about|3A 5C|u0c0c|5C|u0c0c|5C|u0c0c|5C|u0c0cblank|22|",within 40; content:"<marquee",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-018; classtype:attempted-user; sid:17685; rev:7; service:http; )
00380 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer compressed HDMX font processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.eot; file_data; content:"|35 1E 8C F3 EA 69 54 52 D3 04 21 97 B9 56 49 31 28 EA D2 95 1D 8C 6C 5B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1883; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-076; classtype:attempted-admin; sid:17747; rev:9; service:http; service:imap; service:pop3; )
00381 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 6 race condition exploit attempt"; flow:to_client,established; file_data; content:"|3C|meta http-equiv|3D 22|refresh|22| content|3D 22|01|22 2F 3E|"; content:"|3C|iframe src|3D 22|iframepoc.html|22 3E 3C 2F|iframe|3E|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-2558; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-053; classtype:attempted-user; sid:17136; rev:6; service:http; )
00382 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 CSS XSRF exploit attempt"; flow:to_client,established; file_data; content:"alert|28|el.currentStyle.fontFamily|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3325; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17774; rev:6; service:http; )
00383 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 CSS invalid mapping exploit attempt"; flow:to_client,established; file_data; content:"var x = document.styleSheets|5B 30 5D 3B 0A|"; content:"var s = x.rules.item|28 30 29|.style|3B 0A|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3328; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17769; rev:7; service:http; )
00384 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer cross-domain information disclosure attempt"; flow:to_client,established; file_data; content:"var|20|s|20 3D 20|linkEle|2E|styleSheet|2E|cssText",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3330; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17771; rev:7; service:http; )
00385 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer empty table tag memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|SPAN|22|)[0]",nocase; content:"document.createElement(|27|TR|27|)",distance 0,nocase; content:"appendChild(tr)",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1918; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-034; classtype:attempted-user; sid:15733; rev:4; service:http; )
00386 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer event handling remote code execution attempt"; flow:to_client,established; file_data; content:"function doMouseLeave",fast_pattern,nocase; content:"window|2E|event|2E|srcElement",within 100,nocase; pcre:"/doMouseLeave[^\x7D]*([^\x7D\s]*)\s*\x3D\s*window\x2Eevent\x2EsrcElement[^\x7D]*\1\x2EparentNode\x2EinnerHTML\s*\x3D\s*\x22/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0267; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:18539; rev:4; service:http; )
00387 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer Base64 encoded script overflow attempt"; flow:to_client,established; file_data; content:"//|2A|*Start Encode**#@~^",fast_pattern,nocase; content:!"==",within 2,distance 6; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0031; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-009; classtype:attempted-admin; sid:18401; rev:7; service:http; )
00388 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Oracle Java Web Start arbitrary command execution attempt - Internet Explorer"; flow:to_client,established; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:"-XXaltjvm"; content:"launchjnlp",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16584; rev:5; service:http; )
00391 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer html table column span width increase memory corruption attempt"; flow:to_client,established; file_data; content:"table-layout|3A|",nocase; content:"fixed",within 7,nocase; content:"var divt = document.getElementById(|22|div_table|22|)",nocase; content:"<col id='col_id' width='41' span='9'>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1876; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-037; classtype:attempted-user; sid:24204; rev:3; service:http; service:imap; service:pop3; )
00393 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer execCommand use-after-free attempt"; flow:to_client,established; file_data; content:"execCommand(|22|selectAll|22|)"; content:"onload=",nocase; content:"onselect=",within 50,nocase; pcre:"/body[^>]*?onload[^>]*?onselect/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,labs.alienvault.com/labs/index.php/2012/new-internet-explorer-zero-day-being-exploited-in-the-wild/; classtype:attempted-user; sid:24210; rev:3; service:http; )
00394 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer execCommand use-after-free attempt"; flow:to_client,established; file_data; content:"body",nocase; content:"onselect=",within 50,nocase; content:"selectAll"; content:"document.write",nocase; content:"execCommand",nocase; pcre:"/execCommand\x28\s*?[\x22\x27]selectAll[\x22\x27]\s*?\x29/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-4969; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-063; classtype:attempted-user; sid:24212; rev:4; service:http; )
00395 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer execCommand use embedded within javascript tags"; flow:to_client,established; file_data; content:"<script>",nocase; content:"execCommand(",distance 0; content:"</script>",distance 0,nocase; content:"onselect=",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-4969; classtype:attempted-user; sid:24252; rev:1; service:http; )
00396 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_client,established; file_data; content:"redhat.mergeAttributes|28|redhat|29|"; content:"redhat.swapNode|28|redhat|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24869; rev:1; service:http; )
00397 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DOM mergeAttributes memory corruption attempt"; flow:to_client,established; file_data; content:"body.mergeAttributes|28|body|29|"; content:"body.swapNode|28|body|29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,37893; reference:cve,2010-0247; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:misc-activity; sid:24870; rev:1; service:http; )
00400 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer invalid object property use after free memory corruption attempt"; flow:to_client,established; file_data; content:"getElementById"; content:"document.createElement",distance 0; content:"CollectGarbage",distance 0; content:".outerHTML",distance 0; content:"lastChild.style."; pcre:"/var\s*(\w+)\s*=\s*[\w\.]*?getElementById.*?\1\.lastChild\.style\.[a-z0-9()]\s*=\s*document\.createElement.*?CollectGarbage.*?\1\.outerHTML/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4787; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-077; classtype:attempted-dos; sid:24956; rev:2; service:http; service:imap; service:pop3; )
00401 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:".replace|28|/jj/g,|22|%|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25125; rev:1; service:http; service:imap; service:pop3; )
00402 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"jj76jj61jj72jj20jj65jj30jj20jj3D"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25126; rev:1; service:http; service:imap; service:pop3; )
00403 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; content:"<param name=|5C 22|movie|5C 22| value=|5C 22|today.swf|5C 22| />"; content:"<iframe src=news.html></iframe>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25127; rev:1; service:http; service:imap; service:pop3; )
00404 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"|EB D7 77 82 93 D0 7C F6 8B 08 73 08 FD 8B 6B FD|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25128; rev:1; service:http; service:imap; service:pop3; )
00405 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"appendChild|28|"; content:"document.createElement|28|",within 50; content:"button",within 20; content:"outerText",within 200; pcre:"/appendChild\x28\s*document\x2ecreateElement\x28\s*[\x22\x27]button[\x22\x27].*?outerText\s*=\s*[\x22\x27]{2}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25129; rev:1; service:http; service:imap; service:pop3; )
00411 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt"; flow:to_client,established; file_data; content:"window.location"; content:"unescape",within 30; content:"http",within 30; pcre:"/window\x2elocation\s*=\s*unescape\s*\x28\s*["']\x25[^"']*https?\x3a/"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4792; reference:url,technet.microsoft.com/en-us/security/advisory/2794220; classtype:attempted-user; sid:25234; rev:1; service:http; service:imap; service:pop3; )
00413 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandstate(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25769; rev:4; service:http; )
00414 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"DOMParser"; content:"createCDATASection",nocase; content:"|2E|cloneNode",nocase; content:"adoptNode",distance 0,nocase; content:"CollectGarbage()",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0020; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25770; rev:1; service:http; service:imap; service:pop3; )
00415 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML shape object malformed path attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:"shape",nocase; content:"setAttribute(",distance 0,fast_pattern,nocase; content:"path",within 5,distance 1,nocase; isdataat:506,relative; content:!")",within 506; pcre:"/var\s*?(?P<m1>\w+)s*?=s*?document.createElement\s*?\([\x22\x27][\w]s*?[\x3a\x3b]\s*?shape[\x22\x27]\).*?(?P=m1)s*?.\s*?setAttribute\s*?\(\s*?[\x22\x27]\s*?path\s*?[\x22\x27]\s*?,\s*?[\x22\x27][^\x29]{506}.*?(?P=m1)\.s*?path/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0030; classtype:attempted-user; sid:25773; rev:4; service:http; service:imap; service:pop3; )
00416 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer text layout calculation use after free attempt"; flow:to_client,established; file_data; content:"<figure",nocase; content:"dir",within 50,nocase; content:"rtl",within 50,nocase; content:"&",within 50; pcre:"/<figure[^>]+?dir\s*?=\s*?[\x22\x27]\s*?rtl\s*?[\x22\x27].*?(&#?x?[a-z\d]{2,4}\x3b){100}/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:25784; rev:1; service:http; service:imap; service:pop3; )
00418 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"<script>",nocase; content:"SelectAll",nocase; content:"execCommand|28 22|Justify",nocase; content:"execCommand|28 22|Justify",nocase; content:"SelectAll",nocase; content:"</script>",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-user; sid:25786; rev:1; service:http; service:imap; service:pop3; )
00421 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer SVG object user after free attempt"; flow:to_client,established; file_data; content:"image x=|22|60|22| y=|22|50|22| width=|22|240|22| height=|22|240|22| xlink|3A|href=|22|2.svg"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0023; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-009; classtype:attempted-admin; sid:25792; rev:2; service:http; )
00422 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt"; flow:to_client,established; file_data; content:"|6F 48 6F 6D 65 39 36 44 43 47 6F 48 6F 6D 65 38 33 38 33 47|"; content:"|3C|script",nocase; content:"addBehavior|28|",nocase; content:"|23|default|23|userData",within 30,nocase; content:"setAttribute|28|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38615; reference:cve,2010-0806; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:25984; rev:3; service:http; service:imap; service:pop3; )
00425 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer ANI file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ani; file_data; content:"RIFF",depth 4; content:"ACON",within 4,distance 4; content:"anih",distance 0,nocase; byte_test:4,>,36,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http,service imap,service pop3; reference:cve,2004-1049; reference:cve,2007-0038; reference:cve,2007-1765; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-017; classtype:attempted-user; sid:3079; rev:19; service:http; service:imap; service:pop3; )
00426 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 2D-position use after free attempt"; flow:to_client,established; file_data; content:"document.execCommand"; content:"2D-position",within 100,fast_pattern,nocase; content:"contenteditable",distance 0,nocase; content:"true",within 10,nocase; content:"onresize",distance 0,nocase; content:"document.write",within 30; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26125; rev:1; service:http; service:imap; service:pop3; )
00427 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer htc file use after free attempt"; flow:to_client,established; flowbits:isset,file.htc; file_data; content:"<PUBLIC:PROPERTY"; content:"PUT",distance 0; content:"CollectGarbage()"; pcre:"/<PUBLIC:PROPERTY[^>]*?PUT\s*=\s*[\x22\x27](?P<func>\w*).*?function\s*(?P=func).*?\x7b[^\x7c]*?CollectGarbage\x28\x29/sm"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26129; rev:2; service:http; service:imap; service:pop3; )
00429 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_client,established; file_data; content:"behavior",nocase; content:"url",within 5,nocase; content:"#savehistory",distance 0,fast_pattern,nocase; content:".outerHTML",distance 0,nocase; pcre:"/<\s*meta[^>]*?(?>content\s*=\s*"history"[^>]*?name\s*=\s*"save"|name\s*=\s*"save"[^>]*?content\s*=\s*"history")\s*>.*?<\s*style[^>]*?>.*?\.(?P<class>\w+)\s*\{[^}]*?behavior\s*\:[^\;]*?url\s*\x28[^\x29]*?#savehistory[^\x29]*?\x29.*?(?P<element>\w+)\.outerHTML\s*=.*?id\s*=\s*[\x22\x27](?P=element)[\x22\x27].*?class=[\x22\x27]?(?P=class)[\x23\x27]?/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-dos; sid:26132; rev:2; service:http; service:imap; service:pop3; )
00431 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access memory corruption attempt"; flow:to_client,established; file_data; content:"<title onreadystatechange ="; content:"style = '-ms-behavior: url(",within 50,distance 10,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0091; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26134; rev:1; service:http; service:imap; service:pop3; )
00432 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt"; flow:to_client,established; file_data; content:".saveHistory {behavior|3A|url(#default#savehistory)|3B|}"; content:"CLASS=saveHistory onsave=",nocase; content:"setTimeout"; content:"document.open()"; content:"document.createElement(",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26135; rev:1; service:http; service:imap; service:pop3; )
00434 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 onBeforeCopy use after free attempt"; flow:to_client,established; file_data; content:"<body onload=|27|document.execCommand(|22|SelectAll|22|)|3B 27| onbeforecopy="; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-021; classtype:attempted-user; sid:26137; rev:1; service:http; service:imap; service:pop3; )
00436 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandstate(",nocase; content:"copy",within 5,nocase; content:"onbeforecopy"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26216; rev:2; service:http; )
00437 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandstate(",nocase; content:"cut",within 4,nocase; content:"onbeforecut"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26217; rev:2; service:http; )
00438 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandenabled(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26218; rev:2; service:http; )
00439 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandenabled(",nocase; content:"copy",within 5,nocase; content:"onbeforecopy"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26219; rev:2; service:http; )
00440 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandenabled(",nocase; content:"cut",within 4,nocase; content:"onbeforecut"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26220; rev:2; service:http; )
00441 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandindeterm(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26221; rev:2; service:http; )
00442 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandindeterm(",nocase; content:"copy",within 5,nocase; content:"onbeforecopy"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26222; rev:2; service:http; )
00443 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandindeterm(",nocase; content:"cut",within 4,nocase; content:"onbeforecut"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26223; rev:2; service:http; )
00444 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandvalue(",nocase; content:"paste",within 6,nocase; content:"onbeforepaste"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26224; rev:2; service:http; )
00445 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CHTMLEditor object use after free attempt"; flow:to_client,established; file_data; content:"querycommandvalue(",nocase; content:"copy",within 5,nocase; content:"onbeforecopy"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-009; classtype:attempted-user; sid:26225; rev:2; service:http; )
00446 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer isComponentInstalled attack attempt"; flow:to_client,established; file_data; content:"isComponentInstalled|28|boom"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:cve,2006-1016; reference:bugtraq,16870; classtype:attempted-user; sid:13912; rev:6; service:http; )
00447 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_client,established; file_data; content:"offsetParent",fast_pattern; content:"null",within 10,nocase; content:"createElement"; content:"datalist",within 20; content:"createElement"; content:"table",within 20; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26569; rev:2; service:http; service:imap; service:pop3; )
00450 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Windows Live Writer wlw protocol handler information disclosure attempt"; flow:to_client,established; file_data; content:"wlw|3A|//",fast_pattern,nocase; content:"/perflog",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-045; classtype:attempted-recon; sid:26622; rev:1; service:http; service:imap; service:pop3; )
00451 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Windows Live Writer wlw protocol handler information disclosure attempt"; flow:to_client,established; file_data; content:"wlw|3A|//",fast_pattern,nocase; content:"/proxy",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-045; classtype:attempted-recon; sid:26623; rev:1; service:http; service:imap; service:pop3; )
00452 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 7-9 VBScript JSON reference information disclosure attempt"; flow:to_client,established; file_data; content:"language=vbs",depth 200; content:"<script",within 200,distance -150; pcre:"/<script[^>]*src\s*=\s*[\x22\x27][^\x22\x27]*\.json[\x22\x27][^>]*language=vbs/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1297; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-recon; sid:26624; rev:1; service:http; service:imap; service:pop3; )
00454 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer setInterval focus use after free attempt"; flow:to_client,established; file_data; content:"setInterval"; content:".focus()",within 100; content:"history.go(0)"; pcre:"/setInterval\s*\x28[^\x29]+\x2efocus\x28\x29/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-1308; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-037; classtype:attempted-admin; sid:26629; rev:2; service:http; )
00455 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_client,established; file_data; content:"<q class=|22|border float zoom|22| xml:space=|22|preserve|22|>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26630; rev:1; service:http; service:imap; service:pop3; )
00457 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_client,established; file_data; content:"document.createElement|28|",depth 100,nocase; content:".innerHTML",distance 0,nocase; content:"document.body.appendChild|28|",distance 0; content:"document.styleSheets",distance 0,nocase; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|function",distance 0,nocase; content:"onload=|27|setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26634; rev:3; service:http; service:imap; service:pop3; )
00459 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt"; flow:to_client,established; file_data; content:".focusNode"; content:"focusNode.dispatchEvent",distance 0; content:"CollectGarbage",distance 0; content:"previousSibling",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1312; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26636; rev:3; service:http; service:imap; service:pop3; )
00461 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer VML array with negative length memory corruption attempt"; flow:to_client,established; file_data; content:"#default#VML"; content:".dashstyle.array.length"; pcre:"/\.dashstyle\.array\.length\s*?=[^\x3b]*?-\s*?\d/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58570; reference:cve,2013-2551; reference:url,osvdb.org/show/osvdb/91197; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26638; rev:3; service:http; service:imap; service:pop3; )
00462 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer runtimeStyle memory corruption attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:".runtimeStyle",within 100,fast_pattern,nocase; content:".border",within 100,nocase; pcre:"/var\s+?(?P<var>[^\s]+?)\s*?=\s*?document\.createElement\(.*?(?P=var)\.runtimeStyle.*?\.border[^=\x3b]*?=\s*?[^\x3b]*?[\x22\x27](\d+?\s|\s+?\d)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1307; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26641; rev:2; service:http; service:imap; service:pop3; )
00464 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer html reload loop attempt"; flow:to_client,established; file_data; content:"onload"; content:"location.reload",within 25; content:"iframe"; pcre:"/onload\s*\x3D\s*[\x22\x27]?location\.reload\s*\x28/smi"; metadata:policy balanced-ips alert,policy security-ips drop,service http; reference:cve,2013-1306; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-037; classtype:misc-activity; sid:26633; rev:4; service:http; )
00466 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDispNode float css element use after free attempt"; flow:to_client,established; file_data; content:"<input type=|22|text|22| style=|22|zoom:10|22|/>"; content:"<body onload=|22|history.go(0)|22|>"; content:"<img style=|22|float:right|22|/>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26753; rev:1; service:http; service:imap; service:pop3; )
00468 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE IE9 layout engine memory corruption attempt"; flow:to_client,established; file_data; content:"}catch|28|"; content:"|29|{}try{",within 10; content:"obj,obj,obj,obj,obj"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3122; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26844; rev:1; service:http; )
00469 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 insertImage with designMode on deleted object access attempt"; flow:to_client,established; file_data; content:"window.open",nocase; content:".eval",distance 0; content:"document.designMode",distance 0,fast_pattern,nocase; content:"on",distance 0,nocase; content:"window.getSelection",distance 0,nocase; content:"document.designMode",distance 0,nocase; content:"off",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26845; rev:1; service:http; service:imap; service:pop3; )
00471 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 use after free attempt"; flow:to_client,established; file_data; content:"for (var i = 0|3B| i < param.childNodes.length|3B| i++)"; content:"document.selection.createRange().pasteHTML('<td>2<nobr>')"; content:"document.selection.createRange().pasteHTML('<td>3')"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3125; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26847; rev:1; service:http; service:imap; service:pop3; )
00472 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE IE5 compatibility mode user after free attempt"; flow:to_client,established; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=5|22|"; content:".runtimeStyle.setExpression"; content:"document.body.innerHTML"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3121; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26851; rev:2; service:http; )
00473 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer create-add range on DOM objects memory corruption attempt"; flow:to_client,established; file_data; content:".addRange("; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".addRange(",within 1024; content:".createRange()"; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; content:".createRange()",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3124; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26852; rev:2; service:http; service:imap; service:pop3; )
00475 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 select element deleted object access attempt"; flow:to_client,established; file_data; content:"document.body.appendChild(document.createElement('select'))"; content:"document.getElementsByTagName('select')",nocase; content:"parentNode.removeChild(document.getElementsByTagName('select')",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3139; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26867; rev:1; service:http; service:imap; service:pop3; )
00477 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagNameNS(",nocase; content:"www.w3.org",within 50,nocase; content:"removeAttributeNS(",nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26869; rev:1; service:http; service:imap; service:pop3; )
00479 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"www.w3.org",nocase; content:"document.getElementsByTagNameNS(",within 100,nocase; content:"removeAttributeNS(",within 100,nocase; content:"null",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26871; rev:1; service:http; service:imap; service:pop3; )
00481 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CSS rules cache use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|link|22|)[0].href"; content:"document.createStyleSheet",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3117; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26873; rev:1; service:http; service:imap; service:pop3; )
00483 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt"; flow:to_client,established; file_data; content:"div1.removeEventListener( |27|DOMNodeRemoved|27|, callback, true )"; content:"addEventListener"; content:"DOMNodeRemoved",within 40; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3119; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26875; rev:1; service:http; service:imap; service:pop3; )
00484 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 cached display node use-after-free attempt"; flow:to_client,established; file_data; content:"document.getElementsByTagName(|22|input|22|)[0].focus()"; content:"document.getElementsByTagName(|22|input|22|)[0].applyElement(a)"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3116; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26876; rev:1; service:http; service:imap; service:pop3; )
00485 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 tree element use after free attempt"; flow:to_client,established; file_data; content:"document.getElementById",nocase; content:"appendChild",within 50,nocase; content:"ClientRects",within 50,fast_pattern,nocase; content:"p id",distance 0; content:"p id",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26878; rev:2; service:http; )
00486 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"history.go(0)"; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?history\.go\(\s*0\s*\).*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26883; rev:2; service:http; service:imap; service:pop3; )
00487 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt"; flow:to_client,established; file_data; content:"<body onload",nocase; content:"onscroll=",within 50,fast_pattern; content:"location.reload("; pcre:"/<script\s*>((?!</script>).)*?function (?P<onload>\w+).*?\{[^}]*?location\.reload\(.*?<body[^>]*?onload\s*=\s*[\x22\x27](?P=onload)/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26884; rev:2; service:http; service:imap; service:pop3; )
00490 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_client,established; file_data; content:"jquery"; content:"document.createElement",nocase; content:".document.body.appendChild(",within 100,nocase; content:".replaceAll(",within 150,nocase; pcre:"/css\s*?\x28\s*?[\x22\x27]margin[^\x29]*?[\x22\x27]\s*?\x2c\s*?[\x22\x27]\d{12,}\s*?px/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3142; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26888; rev:1; service:http; service:imap; service:pop3; )
00492 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CDocument use after free attempt"; flow:to_client,established; file_data; content:"CollectGarbage()"; content:".createElement",nocase; content:"xml",within 10,nocase; content:".setAttributeNode",within 100,nocase; content:".XMLDocument",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3114; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-047; classtype:attempted-user; sid:26890; rev:1; service:http; )
00496 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 CTreeNodeobject use-after-free attempt"; flow:to_client,established; file_data; content:"ele1.addEventListener( |27|DOMNodeRemoved|27|, eHandler, false )"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3119; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:26988; rev:1; service:http; service:imap; service:pop3; )
00497 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 deleted object access via timer memory corruption attempt"; flow:to_client,established; file_data; content:".innerHTML",nocase; content:"document.body.appendChild|28|",distance 0; content:"CollectGarbage()",distance 0,nocase; content:"setTimeout|28|",distance 0,nocase; content:"onload='setTimeout"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1311; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:27061; rev:1; service:http; service:imap; service:pop3; )
00499 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer double-free memory corruption attempt"; flow:to_client,established; file_data; content:"<rect id=",nocase; content:"clip-path=|22 22|/>",within 25,nocase; content:".removeAttributeNS(|22 22|,|22|clip-path|22 29 3B|",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-047; classtype:attempted-user; sid:27100; rev:1; service:http; service:imap; service:pop3; )
00501 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer setCapture use after free attempt"; flow:to_client,established; file_data; content:".getElementById(",nocase; content:".setCapture(",within 50,fast_pattern,nocase; content:".getElementById(",within 50,nocase; content:".setCapture(",within 50,nocase; content:".getElementById(",within 50,nocase; content:".setCapture(",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3150; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27126; rev:2; service:http; )
00502 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use-after-free attempt"; flow:to_client,established; file_data; content:"addEventListener",nocase; content:"DOMNodeRemoved",within 50,nocase; content:"document.write",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3143; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27127; rev:1; service:http; service:imap; service:pop3; )
00504 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 use after free attempt"; flow:to_client,established; file_data; content:"onbeforecopy=|27|document.write(|22 22|)|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3148; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27129; rev:1; service:http; service:imap; service:pop3; )
00506 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 8 CTreePos use after free attempt"; flow:to_client,established; file_data; content:"appendChild(document.createElement('q'))|3B|document.body.appendChild(document.createElement('q'))|3B|document.body.appendChild(document.createElement('progress'))|3B|document.getElementsByTagName"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3151; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27131; rev:1; service:http; )
00507 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer PreviousTreePos use after free attempt"; flow:to_client,established; file_data; content:".onpropertychange"; content:".swapNode|28|",within 64; pcre:"/\.onpropertychange\s*=\s*function[^{]*?\{[^}]*?\w+\.swapNode\x28/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3153; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27132; rev:1; service:http; service:imap; service:pop3; )
00508 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer display node use after free attempt"; flow:to_client,established; file_data; content:"getElementsByTagName|28|"; content:"input",within 8; content:".height",distance 0; content:".focus|28 29|",distance 0; content:"document.body.noWrap",distance 0; content:".disabled",distance 0; pcre:"/(?P<var>\w+)\s*=\s*[\w.]+\.getElementsByTagName\(\s*[\x22\x27]input[\x22\x27]\s*\)(\[\s*0\s*]|\.first)\s*\x3b.{0,256}(?P=var)\.height\s*=\s*0\s*\x3b.{0,512}(?P=var)\.disabled\s*=\s*true/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27133; rev:1; service:http; service:imap; service:pop3; )
00510 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 10 CTreePos use after free attempt"; flow:to_client,established; file_data; content:"createTHead"; content:"insertAdjacentHTML"; content:"scrollIntoView"; content:"insertRow"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3152; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27135; rev:1; service:http; )
00511 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer CTreeNode use after free memory corruption attempt"; flow:to_client,established; file_data; content:"document.body.innerHTML",nocase; content:"document.styleSheets[0].cssText",within 250,nocase; content:"document.body.innerHTML",within 250,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3164; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27137; rev:4; service:http; service:imap; service:pop3; )
00513 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer 9 IE5 compatibility mode use after free attempt"; flow:established,to_client; file_data; content:"meta http-equiv=|22|X-UA-Compatible|22| content=|22|IE=5|22|"; content:"event.srcElement.parentNode.removeChild|28|"; content:"document.body.appendChild|28|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3144; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-admin; sid:27147; rev:1; service:http; )
00514 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer versions 6-9 deleted object access attempt"; flow:to_client,established; file_data; content:"function",nocase; content:"document.write",within 25,nocase; content:"onbeforeeditfocus=",within 100,nocase; content:"<input",within 25,nocase; content:"</input>",within 30,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-055; classtype:attempted-user; sid:27148; rev:1; service:http; service:imap; service:pop3; )
00516 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"myObj[0].offset"; content:"document.execCommand(",nocase; content:"SelectAll",within 9,distance 1,nocase; content:"document.getElementsByName(",within 100,nocase; content:"document.execCommand(|22|Justify",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27150; rev:1; service:http; service:imap; service:pop3; )
00517 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"myObj[0].offset"; content:"document.getElementsByName(",nocase; content:"document.execCommand(|22|Justify",within 200,nocase; content:"document.execCommand(",within 100,nocase; content:"SelectAll",within 9,distance 1,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27151; rev:1; service:http; service:imap; service:pop3; )
00520 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer pElement member use after free attempt"; flow:to_client,established; file_data; content:".removeChild(document.getElementsByTagName(",nocase; content:"bdo",within 10,nocase; content:"CollectGarbage()",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-3145; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27154; rev:1; service:http; )
00521 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer table column-count integer overflow attempt"; flow:to_client,established; file_data; content:"<table",nocase; content:"<td",distance 0; content:".getElementsByTagName("; content:"column-count",distance 0; pcre:"/var\s*(?P<var>\w+)\s*=\s*\w+\.getElementsByTagName\(\s*[\x22\x27]td[\x22\x27]\s*\)\.item(\(\s*0\s*\)|\.first)\s*\x3b.*?(?P=var)\.style\.(column-count\s*=|setAttribute\s*\(\s*[\x22\x27]column-count[\x22\x27]\s*,)\s*[\x22\x27]?(0x)?[a-f\d]{8}/msi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3146; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27156; rev:1; service:http; service:imap; service:pop3; )
00523 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer use after free attempt"; flow:to_client,established; file_data; content:"document.createElement(",nocase; content:"document.body.appendChild(",within 100,nocase; content:"applyElement(",within 100,fast_pattern,nocase; content:"innerHTML",within 100,nocase; pcre:"/var\s*?(?P<badelement>\w+)\s*?=\s*?document\.createElement.*?document\.body\.appendChild[\x28]\s*?(?P=badelement)\s*?[\x29].*?applyElement[\x28]\s*?(?P=badelement)\s*?[\x29].*?innerHTML\s*?=\s*?[\x22\x27]\s*?[\x22\x27]/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3163; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-055; classtype:attempted-user; sid:27171; rev:1; service:http; service:imap; service:pop3; )
00525 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer virtual function table corruption attempt"; flow:to_client,established; file_data; content:"<MARQUEE"; content:".removeNode"; content:"document.execCommand"; content:"selectAll",within 15; pcre:"/select\s*?id\s*?=[\x22\x27](?P<badelem>\w+).*?<\s*?marquee\s*?id\s*?=\s*?[\x22\x27](?P<badelem2>\w+).*?<\s*?span\s*?id\s*?=[\x22\x27](?P<badelem3>\w+)[\x22\x27].*?[\x22\x27](?P=badelem)[\x22\x27]\x29\s*?\.focus\x28\x29.*?(?P=badelem3)\.innerHTML.*?[\x22\x27](?P=badelem2)[\x22\x27]\x29\s*?\.removeNode\x28\s*?true\x29.*?document\.execCommand\x28[\x22\x27]selectAll/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,54951; reference:cve,2012-2522; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-052; classtype:attempted-user; sid:27220; rev:1; service:http; service:imap; service:pop3; )
00527 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER Opera asynchronous document modifications attempted memory corruption"; flow:to_client,established; file_data; content:"function loop|28 29|"; content:"setInterval|28|doit,0|29|",distance 0; content:"function doit|28 29|",distance 0; content:"document.write",distance 0; content:"setInterval|28|loop,0|29|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,secunia.com/advisories/39590/; reference:url,www.opera.com/support/kb/view/953/; classtype:attempted-user; sid:16592; rev:4; service:http; )
00528 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:" for"; content:"document.createElement(|27|canvas|27|)",within 100,nocase; content:"getContext(|27|2d|27|)",within 200,nocase; content:"createImageData(",within 200,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24432; rev:4; service:http; service:imap; service:pop3; )
00529 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER HTML5 canvas element heap spray attempt"; flow:to_client,established; file_data; content:"Uint8ClampedArray(1024*1024)|3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=HTML5_Heap_Sprays_Pwn_All_The_Things; classtype:shellcode-detect; sid:24433; rev:2; service:http; service:imap; service:pop3; )
00530 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER Opera use after free attempt"; flow:to_client,established; file_data; content:"window.opera.collect|28 29|"; content:"<svg"; content:"<clipPath"; content:"document.createElement"; content:"use",within 3,distance 2; pcre:"/\x3cclippath\s*?id\s*?\x3d[\x22\x27](?P<id_name>\w+).*?(\x3ccircle|\x3crect|\x3cellipse|\x3cline|\x3cpolyline|\x3cpolygon)\s*?id\s*?\x3d\s*?[\x22\x27](?P<shape_name>\w+).*?document\x2egetElementById\x28[\x22\x27](?P=shape_name).*?\x3d\s*[\x22\x27]url\x28\x23(?P=id_name)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,pastie.org/6029531#32; classtype:attempted-user; sid:25621; rev:1; service:http; service:imap; service:pop3; )
00532 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknow compression algorithm use arbitrary code execution attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6",nocase; content:"SendPlayStateChangeEvents",fast_pattern,nocase; content:"event=|22|playStateChange|28|state|29 22|>onstatechange",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-027; classtype:attempted-user; sid:16537; rev:7; service:http; )
00533 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS FileSystemObject function call"; flow:to_client,established; file_data; content:"Scripting.FileSystemObject"; content:"<script",nocase; content:"Scripting.FileSystemObject",distance 0,nocase; content:"</script>",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-3934; classtype:policy-violation; sid:21447; rev:4; service:http; )
00534 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft DirectShow ActiveX exploit via JavaScript"; flow:to_client,established; file_data; content:".classid='clsid|3A|0955AC62-BF2E-4CBA-A2B9-A63F772D46CF'|3B|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-032; classtype:attempted-user; sid:15678; rev:8; service:http; )
00535 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS iseemedia LPViewer ActiveX buffer overflows attempt"; flow:to_client,established; file_data; content:"url"; content:"toolbar",distance 0; content:"enableZoomPastMax",distance 0; content:"classid=|22|clsid|3A|{3F0EECCE-E138-11D1-8712-0060083D83F5}",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:16589; rev:4; service:http; )
00536 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AtHocGov IWSAlerts ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"AtHocGovGSTlBar.GSHelper.1"; content:".CompleteInstallation|28|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.fortiguard.com/encyclopedia/vulnerability/athocgov.iwsalerts.activex.buffer.overflow.html; classtype:attempted-user; sid:16599; rev:5; service:http; )
00537 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS SaschArt SasCam Webcam Server ActiveX control exploit attempt"; flow:to_client,established; file_data; content:"clsid|3A|0297D24A-F425-47EE-9F3B-A459BCE593E3",nocase; content:"unescape|28|",within 300,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33053; reference:cve,2008-6898; classtype:attempted-user; sid:16715; rev:3; service:http; )
00539 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AwingSoft Web3D Player WindsPlayerIE.View.1 ActiveX SceneURL method overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|17A54E7D-A9D4-11D8-9552-00E04CB09903|27|"; content:"unescape|28 27 25|u",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-4588; classtype:attempted-user; sid:16771; rev:4; service:http; )
00540 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Chilkat Crypt 2 ActiveX object access attempt"; flow:to_client,established; file_data; content:"|3D| new ActiveXObject|28 22|ChilkatCrypt2|2E|ChilkatCrypt2|22 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:16789; rev:6; service:http; )
00541 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Chilkat Crypt 2 ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|3352B5B9-82E8-4FFD-9EB1-1A3E60056904|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:16790; rev:6; service:http; )
00542 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Roxio CinePlayer SonicDVDDashVRNav.dll ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"9F1363DA-0220-462E-B923-9E3C9038896F"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,23412; reference:cve,2007-1559; classtype:attempted-user; sid:17060; rev:4; service:http; )
00543 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Creative Software AutoUpdate Engine CTSUEng.ocx ActiveX control access attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|0A5FD7C5-A45C-49FC-ADB5-9952547D5715|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,29391; reference:cve,2008-0955; classtype:attempted-user; sid:17086; rev:4; service:http; service:imap; service:pop3; )
00544 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS VeryDOC PDF Viewer ActiveX control OpenPDF buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|433268D7-2CD4-43E6-AA24-2188672E7252|27|"; content:"unescape|28 27 25|u",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32313; reference:cve,2008-5492; classtype:attempted-user; sid:17091; rev:5; service:http; )
00545 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AOL IWinAmpActiveX class ConvertFile buffer overflow attempt"; flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6|27|"; content:"ConvertFile"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35028; classtype:attempted-user; sid:17098; rev:4; service:http; )
00546 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS RealNetworks RealPlayer ActiveX Import playlist name buffer overflow attempt"; flow:to_client,established; file_data; content:"FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; content:"aaaaaaaaaaaaaaaaaa",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26130; reference:cve,2007-5601; classtype:attempted-user; sid:17425; rev:6; service:http; )
00547 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Macrovision InstallShield Update Service ActiveX exploit attempt"; flow:to_client,established; file_data; content:"E9880553-B8A7-4960-A668-95C68BED571E"; content:"unescape|28 27 25 75 34|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26280; reference:bugtraq,31235; reference:cve,2007-5660; reference:url,support.installshield.com/kb/view.asp?articleid=Q113602; classtype:attempted-user; sid:17555; rev:5; service:http; )
00548 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Symantec Backup Exec ActiveX control buffer overflow attempt"; flow:to_client,established; file_data; content:"clsid|3A|22ACD16F-99EB-11D2-9BB3-00400561D975"; content:"unescape|28|"; content:"|25|u",within 5; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26904; reference:cve,2007-6016; classtype:attempted-user; sid:16672; rev:6; service:http; )
00549 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX exploit attempt"; flow:to_client,established; file_data; content:"5C6698D9-7BE4-4122-8EC5-291D84DBD4A0"; content:"unescape|28 22 25|u",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,27534; reference:bugtraq,27756; reference:cve,2008-5711; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:17654; rev:7; service:http; )
00550 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Office Viewer ActiveX arbitrary command execution attempt"; flow:to_client,established; file_data; content:"18A295DA-088E-42D1-BE31-5028D7F9B9B5",nocase; content:"targetObject.OpenWebFile|28|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:bugtraq,23811; reference:bugtraq,33238; reference:bugtraq,33243; reference:bugtraq,33245; reference:cve,2007-2588; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html; classtype:attempted-user; sid:17701; rev:5; service:http; )
00551 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknow compression algorithm use arbitrary code execution attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6",nocase; content:"poc|2E|avi",fast_pattern,nocase; content:"event|3D 22|playStateChange|28|foo|29 22 3E|boom",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0268; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-027; classtype:attempted-user; sid:18542; rev:6; service:http; )
00552 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Common Controls Animation Object ActiveX clsid access"; flow:to_client,established; file_data; content:"path|20 3D 20|theForm|2E|address|2E|value|3B|"; content:"ctrl|2E|Open|28|path|29 3B|",distance 0; content:"classid|3D 27|clsid|3A|B09DE715|2D|87C1|2D|11D1|2D|8BE3|2D|0000F8754DA1|27 20|id|3D 27|ctrl|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32613; reference:cve,2008-4255; classtype:attempted-user; sid:18601; rev:4; service:http; )
00553 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS iseemedia LPViewer ActiveX exploit attempt"; flow:to_client,established; file_data; content:"ActiveXObject|28|'LPViewer.LPViewer.1'|29|"; content:"unescape",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:16588; rev:5; service:http; )
00555 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23376; rev:3; service:http; service:imap; service:pop3; )
00556 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"FAB9B41C-87D6-474D-AB7E-F07D78F2422E"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FAB9B41C-87D6-474D-AB7E-F07D78F2422E\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23375; rev:3; service:http; service:imap; service:pop3; )
00557 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"536600D3-70FE-4C50-92FB-640F6BFC49AD"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*536600D3-70FE-4C50-92FB-640F6BFC49AD\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23374; rev:3; service:http; service:imap; service:pop3; )
00558 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"B6C10489-FB89-11D4-93C9-006008A7EED4"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B6C10489-FB89-11D4-93C9-006008A7EED4\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23373; rev:3; service:http; service:imap; service:pop3; )
00559 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Teechart Professional ActiveX clsid access"; flow:to_client,established; file_data; content:"FCB4B50A-E3F1-4174-BD18-54C3B3287258"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FCB4B50A-E3F1-4174-BD18-54C3B3287258\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/74446; classtype:attempted-user; sid:23372; rev:3; service:http; service:imap; service:pop3; )
00560 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.6.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.6\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23304; rev:3; service:http; service:imap; service:pop3; )
00561 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d96a06-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23303; rev:2; service:http; service:imap; service:pop3; )
00562 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.6.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.6\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23302; rev:3; service:http; service:imap; service:pop3; )
00563 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.5.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.5\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23301; rev:3; service:http; service:imap; service:pop3; )
00564 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969e6-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23300; rev:2; service:http; service:imap; service:pop3; )
00565 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.5.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.5\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23299; rev:3; service:http; service:imap; service:pop3; )
00566 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.4.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.4\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23298; rev:3; service:http; service:imap; service:pop3; )
00567 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969c1-f192-11d4-a65f-0040963251e5"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23297; rev:2; service:http; service:imap; service:pop3; )
00568 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.4.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.4\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23296; rev:3; service:http; service:imap; service:pop3; )
00569 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"MSXML2.FreeThreadedDOMDocument"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))MSXML2\.FreeThreadedDOMDocument(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23295; rev:3; service:http; service:imap; service:pop3; )
00570 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23294; rev:2; service:http; service:imap; service:pop3; )
00571 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.3.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.FreeThreadedDOMDocument\.3\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23293; rev:3; service:http; service:imap; service:pop3; )
00572 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f5078f33-c551-11d3-89b9-0000f81fe221"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23292; rev:2; service:http; service:imap; service:pop3; )
00573 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23291; rev:3; service:http; service:imap; service:pop3; )
00574 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.DOMDocument.3.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Msxml2\.DOMDocument\.3\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23290; rev:3; service:http; service:imap; service:pop3; )
00575 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.FreeThreadedXMLDOM.1.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Microsoft\.FreeThreadedXMLDOM\.1\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23289; rev:3; service:http; service:imap; service:pop3; )
00576 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2933bf91-7b36-11d2-b20e-00c04f983e60"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23288; rev:2; service:http; service:imap; service:pop3; )
00577 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Microsoft.XMLDOM.1.0"; content:".definition(",nocase; pcre:"/(var|set)\s+\w+\s*=\s*(new\s+ActiveXObject|CreateObject)\s*\((?P<q1>(\x22|\x27|))Microsoft\.XMLDOM\.1\.0(?P=q1)\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23287; rev:3; service:http; service:imap; service:pop3; )
00578 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"2933bf90-7b36-11d2-b20e-00c04f983e60"; content:".definition(",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23286; rev:2; service:http; service:imap; service:pop3; )
00579 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d96a05-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23146; rev:3; service:http; service:imap; service:pop3; )
00580 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969e5-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23145; rev:3; service:http; service:imap; service:pop3; )
00581 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"88d969c0-f192-11d4-a65f-0040963251e5"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23144; rev:3; service:http; service:imap; service:pop3; )
00582 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f5078f32-c551-11d3-89b9-0000f81fe221"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23143; rev:3; service:http; service:imap; service:pop3; )
00583 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"f6d90f11-9c73-11d3-b32e-00c04f990bb4"; content:".definition",nocase; pcre:"/\x2edefinition\s*\x28/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23142; rev:3; service:http; service:imap; service:pop3; )
00584 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX function call access"; flow:to_client,established; file_data; content:"WMEnc.WMEncProfileManager"; pcre:"/(?P<c>\w+)\s*=\s*(\x22WMEnc\.WMEncProfileManager\x22|\x27WMEnc\.WMEncProfileManager\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*GetDetailsString\s*|.*(?P=v)\s*\.\s*GetDetailsString\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WMEnc\.WMEncProfileManager\x22|\x27WMEnc\.WMEncProfileManager\x27)\s*\)(\s*\.\s*GetDetailsString\s*|.*(?P=n)\s*\.\s*GetDetailsString\s*)\s*\(/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:14257; rev:8; service:http; )
00585 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Media Encoder 9 ActiveX clsid access"; flow:to_client,established; file_data; content:"A8D3AD02-7508-4004-B2E9-AD33F087F43C",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A8D3AD02-7508-4004-B2E9-AD33F087F43C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetDetailsString)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A8D3AD02-7508-4004-B2E9-AD33F087F43C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetDetailsString))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:14255; rev:9; service:http; )
00586 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control ActiveX function call access"; flow:to_client,established; file_data; content:"HxVz.HxTocCtrl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HxVz\.HxTocCtrl\x22|\x27HxVz\.HxTocCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HxVz\.HxTocCtrl\x22|\x27HxVz\.HxTocCtrl\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13670; rev:8; service:http; )
00587 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control ActiveX clsid access"; flow:to_client,established; file_data; content:"314111b8-a502-11d2-bbca-00c04f8ec294",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*314111b8-a502-11d2-bbca-00c04f8ec294\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13668; rev:8; service:http; )
00588 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control 2 ActiveX function call access"; flow:to_client,established; file_data; content:"HxVz.HxIndexCtrl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HxVz\.HxIndexCtrl\x22|\x27HxVz\.HxIndexCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HxVz\.HxIndexCtrl\x22|\x27HxVz\.HxIndexCtrl\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13674; rev:8; service:http; )
00589 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Help 2.0 Contents Control 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"314111c6-a502-11d2-bbca-00c04f8ec294",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*314111c6-a502-11d2-bbca-00c04f8ec294\s*}?\s*(?P=q5)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13672; rev:8; service:http; )
00590 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Forms 2.0 ActiveX function call access"; flow:to_client,established; file_data; content:"Forms.Image"; pcre:"/(?P<c>\w+)\s*=\s*(\x22Forms\.Image\x22|\x27Forms\.Image\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Forms\.Image\x22|\x27Forms\.Image\x27)\s*\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-008; classtype:attempted-user; sid:13459; rev:8; service:http; )
00591 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Forms 2.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"4C599241-6926-101B-9992-00000B65C6F9",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4C599241-6926-101B-9992-00000B65C6F9\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-008; classtype:attempted-user; sid:13457; rev:8; service:http; )
00592 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX function call access"; flow:to_client,established; file_data; content:"MSHierarchicalFlexGridLib.MSHFlexGrid",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x22|\x27MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Rows\s*|.*(?P=v)\s*\.\s*Rows\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x22|\x27MSHierarchicalFlexGridLib\.MSHFlexGrid(\.\d)?\x27)\s*\)(\s*\.\s*Rows\s*|.*(?P=n)\s*\.\s*Rows)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15102; rev:8; service:http; )
00593 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic Hierarchical FlexGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"0ECD9B64-23AA-11D0-B351-00A0C9055D8E",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q22>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0ECD9B64-23AA-11D0-B351-00A0C9055D8E\s*}?\s*(?P=q22)(\s|>).*(?P=id1)\s*\.\s*(Rows)|<object\s*[^>]*\s*classid\s*=\s*(?P<q23>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0ECD9B64-23AA-11D0-B351-00A0C9055D8E\s*}?\s*(?P=q23)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(Rows))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15100; rev:8; service:http; )
00594 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic FlexGrid ActiveX function call access"; flow:to_client,established; file_data; content:"MSFlexGridLib.MSFlexGrid",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MSFlexGridLib\.MSFlexGrid(\.\d)?\x22|\x27MSFlexGridLib\.MSFlexGrid(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*FormatString\s*|.*(?P=v)\s*\.\s*FormatString\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSFlexGridLib\.MSFlexGrid(\.\d)?\x22|\x27MSFlexGridLib\.MSFlexGrid(\.\d)?\x27)\s*\)(\s*\.\s*FormatString\s*|.*(?P=n)\s*\.\s*FormatString)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15098; rev:8; service:http; )
00595 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Visual Basic FlexGrid ActiveX clsid access"; flow:to_client,established; file_data; content:"6262D3A0-531B-11CF-91F6-C2863C385E30",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q27>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6262D3A0-531B-11CF-91F6-C2863C385E30\s*}?\s*(?P=q27)(\s|>).*(?P=id1)\s*\.\s*(FormatString)|<object\s*[^>]*\s*classid\s*=\s*(?P<q28>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6262D3A0-531B-11CF-91F6-C2863C385E30\s*}?\s*(?P=q28)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\s*\.\s*(FormatString))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15096; rev:8; service:http; )
00596 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX function call access"; flow:to_client,established; file_data; content:"MsRDP.MsRDP",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MsRDP\.MsRDP(\.\d)?\x22|\x27MsRDP\.MsRDP(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*MsRdpClientShell\.RdpFileContents\s*|.*(?P=v)\s*\.\s*MsRdpClientShell\.RdpFileContents\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MsRDP\.MsRDP(\.\d)?\x22|\x27MsRDP\.MsRDP(\.\d)?\x27)\s*\)(\s*\.\s*MsRdpClientShell\.RdpFileContents\s*|.*(?P=n)\s*\.\s*MsRdpClientShell\.RdpFileContents)\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-1929; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-044; classtype:attempted-user; sid:15863; rev:9; service:http; )
00597 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Remote Desktop Client ActiveX clsid access"; flow:to_client,established; file_data; content:"4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(MsRdpClientShell\.RdpFileContents)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(MsRdpClientShell\.RdpFileContents))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-1929; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-044; classtype:attempted-user; sid:15861; rev:9; service:http; )
00598 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access"; flow:to_client,established; file_data; content:"OWC11.Spreadsheet",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC11\.Spreadsheet(\.\d)?\x22|\x27OWC11\.Spreadsheet(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC11\.Spreadsheet(\.\d)?\x22|\x27OWC11\.Spreadsheet(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15691; rev:7; service:http; )
00599 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E559-0000-0000-C000-000000000046",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E559-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15689; rev:7; service:http; )
00600 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 10 Spreadsheet ActiveX function call access"; flow:to_client,established; file_data; content:"OWC10.Spreadsheet",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15687; rev:8; service:http; )
00601 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Web Components 10 Spreadsheet ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E541-0000-0000-C000-000000000046",nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E541-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15685; rev:8; service:http; )
00602 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Common Controls Animation Object ActiveX function call access"; flow:to_client,established; file_data; content:"mscomctl2.animation",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22mscomctl2\.animation(\.\d)?\x22|\x27mscomctl2\.animation(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Open\s*|.*(?P=v)\s*\.\s*Open\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22mscomctl2\.animation(\.\d)?\x22|\x27mscomctl2\.animation(\.\d)?\x27)\s*\)(\s*\.\s*Open\s*|.*(?P=n)\s*\.\s*Open\s*)\s*\(/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4255; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15086; rev:8; service:http; )
00603 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Common Controls Animation Object ActiveX clsid access"; flow:to_client,established; file_data; content:"B09DE715-87C1-11D1-8BE3-0000F8754DA1",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m9>\x22|\x27|)(?P<id1>.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P<q37>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B09DE715-87C1-11D1-8BE3-0000F8754DA1\s*}?\s*(?P=q37)(\s|>).*(?P=id1)\s*\.\s*(Open)|<object\s*[^>]*\s*classid\s*=\s*(?P<q38>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B09DE715-87C1-11D1-8BE3-0000F8754DA1\s*}?\s*(?P=q38)(\s|>)[^>]*\s*id\s*=\s*(?P<m10>\x22|\x27|)(?P<id2>.+?)(?P=m10)(\s|>).*(?P=id2)\.(Open))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-4255; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15084; rev:8; service:http; )
00604 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer Tabular Control ActiveX overflow by ProgID"; flow:to_client,established; file_data; content:"ActiveXObject",nocase; content:"TDCCtl.TDCCtl",distance 0,fast_pattern,nocase; content:"DataURL",nocase; pcre:"/(?P<obj>[A-Z\d_]+)\s*=\s*new\s*ActiveXObject\x28(?P<q1>\x22|\x27|)TDCCtl\.TDCCtl(\.\d)?(?P=q1).*?(?P=obj)\.DataURL\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0805; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16511; rev:8; service:http; )
00605 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Internet Explorer Tabular Control ActiveX overflow by CLSID"; flow:to_client,established; file_data; content:"333C7BC4-460F-11D0-BC04-0080C7055A83",nocase; content:"DataURL",nocase; pcre:"/<object[^>]+classid\s*=\s*(?P<q1>\x22|\x27|)clsid\s*\x3A\s*{?\s*333C7BC4-460F-11D0-BC04-0080C7055A83\s*}?(?P=q1)/smi"; pcre:"/(?P<obj>[A-Z\d_]+)\.DataURL\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0805; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:16510; rev:8; service:http; )
00606 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX clsid access"; flow:to_client,established; file_data; content:"5C6698D9-7BE4-4122-8EC5-291D84DBD4A0"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C6698D9-7BE4-4122-8EC5-291D84DBD4A0\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C6698D9-7BE4-4122-8EC5-291D84DBD4A0\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask))\s*=/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,27576; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13419; rev:16; service:http; )
00607 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS obfuscated instantiation of ActiveX object - likely malicious"; flow:to_client,established; file_data; content:"new ActiveXObject|28|",nocase; content:"unescape|28|",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-3558; classtype:attempted-user; sid:17571; rev:3; service:http; )
00608 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Tabular Control ActiveX overflow by CLSID / param tag"; flow:to_client,established; file_data; content:"333C7BC4-460F-11D0-BC04-0080C7055A83",nocase; content:"<param",distance 0,nocase; content:"DataURL",distance 0,nocase; pcre:"/<object[^>]+classid\s*=\s*(?P<q1>\x22|\x27|)clsid\s*\x3A\s*{?\s*333C7BC4-460F-11D0-BC04-0080C7055A83\s*}?(?P=q1)/smi"; pcre:"/<param[^>]+(name\s*=\s*(?P<q2>\x22|\x27|)DataURL(?P=q2)[^>]+value\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})|value\s*=\s*(\x22[^\x22]{128}|\x27[^\x27]{128})[^>]+name\s*=\s*(?P<q3>\x22|\x27|)DataURL(?P=q3))/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0805; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-018; classtype:attempted-user; sid:19893; rev:4; service:http; )
00609 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Explorer WebViewFolderIcon.WebViewFolderIcon.1 ActiveX function call"; flow:to_client,established; file_data; content:"WebViewFolderIcon.WebViewFolderIcon.1"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-057; classtype:attempted-user; sid:8419; rev:14; service:http; )
00610 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Explorer WebViewFolderIcon.WebViewFolderIcon.1 ActiveX clsid access"; flow:to_client,established; file_data; content:"E5DF9D10-3B52-11D1-83E8-00A0C90DC849"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-057; classtype:attempted-user; sid:7985; rev:13; service:http; )
00611 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS RealNetworks RealPlayer RMOC3260.DLL cdda URI overflow attempt"; flow:to_client,established; file_data; content:"CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA"; content:"cdda|3A 2F 2F|",nocase; isdataat:100,relative; pcre:"/cdda\x3A\x2F\x2F[^\s\x22\x27]{100}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,44144; reference:cve,2010-3747; classtype:attempted-user; sid:18578; rev:5; service:http; )
00612 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"ReleaseContext"; pcre:"/(?P<c>\w+)\s*=\s*(\x22ReleaseContext(\.\d)?\x22|\x27ReleaseContext(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ReleaseContext(\.\d)?\x22|\x27ReleaseContext(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3973; reference:cve,2010-4588; reference:url,secunia.com/advisories/42693/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-027; classtype:attempted-user; sid:18329; rev:7; service:http; )
00613 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows WMI Administrator Tools Object Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"AddContextRef"; pcre:"/(?P<c>\w+)\s*=\s*(\x22AddContextRef(\.\d)?\x22|\x27AddContextRef(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AddContextRef(\.\d)?\x22|\x27AddContextRef(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-3973; reference:cve,2010-4588; reference:url,secunia.com/advisories/42693/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-027; classtype:attempted-user; sid:18242; rev:8; service:http; )
00614 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Excel Viewer ActiveX function call access"; flow:to_client,established; file_data; content:"Excel.OActrl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22Excel\.OActrl(\.\d)?\x22|\x27Excel\.OActrl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=v)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Excel\.OActrl(\.\d)?\x22|\x27Excel\.OActrl(\.\d)?\x27)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=n)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,23755; reference:bugtraq,33222; reference:bugtraq,33243; reference:cve,2007-2495; reference:url,moaxb.blogspot.com/2007/05/moaxb-02-excelviewerocx-v-31-multiple.html; classtype:attempted-user; sid:11183; rev:11; service:http; )
00615 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Excel Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"18A295DA-088E-42D1-BE31-5028D7F9B965"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*18A295DA-088E-42D1-BE31-5028D7F9B965\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*18A295DA-088E-42D1-BE31-5028D7F9B965\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile))/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,23755; reference:bugtraq,33222; reference:bugtraq,33243; reference:cve,2007-2495; reference:url,moaxb.blogspot.com/2007/05/moaxb-02-excelviewerocx-v-31-multiple.html; classtype:attempted-user; sid:11181; rev:12; service:http; )
00616 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office PowerPoint Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"97AF4A45-49BE-4485-9F55-91AB40F22B92"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m9>\x22|\x27|)(?P<id1>.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P<q19>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22B92\s*}?\s*(?P=q19)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q20>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22B92\s*}?\s*(?P=q20)(\s|>)[^>]*\s*id\s*=\s*(?P<m10>\x22|\x27|)(?P<id2>.+?)(?P=m10)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:bugtraq,23733; reference:bugtraq,33238; reference:bugtraq,33243; reference:cve,2007-2494; reference:url,moaxb.blogspot.com/2007/05/moaxb-01-powerpointviewerocx-31.html; classtype:attempted-user; sid:11176; rev:13; service:http; )
00617 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Viewer 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"97AF4A45-49BE-4485-9F55-91AB40F288F2"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m11>\x22|\x27|)(?P<id1>.+?)(?P=m11)(\s|>)[^>]*\s*classid\s*=\s*(?P<q24>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F288F2\s*}?\s*(?P=q24)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile|Open)|<object\s*[^>]*\s*classid\s*=\s*(?P<q25>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F288F2\s*}?\s*(?P=q25)(\s|>)[^>]*\s*id\s*=\s*(?P<m12>\x22|\x27|)(?P<id2>.+?)(?P=m12)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile|Open))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:bugtraq,23811; reference:bugtraq,33238; reference:bugtraq,33243; reference:bugtraq,33245; reference:cve,2007-2588; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html; classtype:attempted-user; sid:15230; rev:8; service:http; )
00618 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Word Viewer ActiveX clsid access"; flow:to_client,established; file_data; content:"97AF4A45-49BE-4485-9F55-91AB40F22BF2"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q14>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22BF2\s*}?\s*(?P=q14)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q15>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22BF2\s*}?\s*(?P=q15)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile))\s*\(/siO"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:bugtraq,23784; reference:bugtraq,33238; reference:bugtraq,33243; reference:cve,2007-2496; reference:url,moaxb.blogspot.com/2007/05/moaxb-03-wordviewerocx-32-multiple_03.html; classtype:attempted-user; sid:11187; rev:11; service:http; )
00619 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft SQL Server 2000 Client Components ActiveX clsid access"; flow:to_client,established; file_data; content:"FC13BAA2-9C1A-4069-A221-31A147636038"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q16>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FC13BAA2-9C1A-4069-A221-31A147636038\s*}?\s*(?P=q16)(\s|>).*(?P=id1)\s*\.\s*(Connect)|<object\s*[^>]*\s*classid\s*=\s*(?P<q17>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FC13BAA2-9C1A-4069-A221-31A147636038\s*}?\s*(?P=q17)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\.(Connect))/Osi"; metadata:policy balanced-ips drop,policy security-ips alert,service http; reference:bugtraq,31129; reference:cve,2008-4110; classtype:attempted-user; sid:14756; rev:8; service:http; )
00620 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Facebook Photo Uploader ActiveX function call access"; flow:to_client,established; file_data; content:"TheFacebook.FacebookPhotoUploader4.4.1"; pcre:"/(?P<c>\w+)\s*=\s*(\x22TheFacebook\.FacebookPhotoUploader4\.4\.1\x22|\x27TheFacebook\.FacebookPhotoUploader4\.4\.1\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*|.*(?P=v)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TheFacebook\.FacebookPhotoUploader4\.4\.1\x22|\x27TheFacebook\.FacebookPhotoUploader4\.4\.1\x27)\s*\)(\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*|.*(?P=n)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask))\s*=/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,27576; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13421; rev:16; service:http; )
00621 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS SAP GUI SAPBExCommonResources ActiveX function call access"; flow:to_client,established; file_data; content:"SAPBExCommonResources.BExGlobal",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22SAPBExCommonResources\.BExGlobal(\.\d)?\x22|\x27SAPBExCommonResources\.BExGlobal(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Execute\s*|.*(?P=v)\s*\.\s*Execute\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SAPBExCommonResources\.BExGlobal(\.\d)?\x22|\x27SAPBExCommonResources\.BExGlobal(\.\d)?\x27)\s*\)(\s*\.\s*Execute\s*|.*(?P=n)\s*\.\s*Execute\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,securitytracker.com/alerts/2010/Mar/1023760.html; classtype:attempted-user; sid:17616; rev:4; service:http; )
00622 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS SAP GUI SAPBExCommonResources ActiveX clsid access"; flow:to_client,established; file_data; content:"A009C90D-814B-11D3-BA3E-080009D22344",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A009C90D-814B-11D3-BA3E-080009D22344\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Execute)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A009C90D-814B-11D3-BA3E-080009D22344\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Execute))/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,securitytracker.com/alerts/2010/Mar/1023760.html; classtype:attempted-user; sid:17614; rev:4; service:http; )
00623 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft ciodm.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17596; rev:4; service:http; )
00624 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft creator.dll 2 ActiveX clsid access"; flow:to_client,established; file_data; content:"F849164D-9863-11D3-97C6-0060084856D4"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17595; rev:4; service:http; )
00625 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft creator.dll 1 ActiveX clsid access"; flow:to_client,established; file_data; content:"606EF130-9852-11D3-97C6-0060084856D4"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17594; rev:4; service:http; )
00626 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft msdxm.ocx ActiveX clsid access"; flow:to_client,established; file_data; content:"8E71888A-423F-11D2-876E-00A0C9082467"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19636; reference:cve,2006-4495; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=16; classtype:attempted-user; sid:17593; rev:4; service:http; )
00627 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Research In Motion AxLoader ActiveX clsid access"; flow:to_client,established; file_data; content:"4788DE08-3552-49EA-AC8C-233DA52523B9"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4788DE08-3552-49EA-AC8C-233DA52523B9\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33663; reference:cve,2009-0305; reference:url,support.microsoft.com/kb/960715; classtype:attempted-user; sid:15311; rev:6; service:http; )
00628 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS VMWare VMCtl Class ActiveX clsid access"; flow:to_client,established; file_data; content:"38DB77F9-058D-4955-98AA-4A9F3B6A5B06"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*38DB77F9-058D-4955-98AA-4A9F3B6A5B06\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GuestInfo)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|\x26\x23039\x3b|)\s*clsid\s*\x3a\s*{?\s*38DB77F9-058D-4955-98AA-4A9F3B6A5B06\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|\x26\x23039\x3b|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GuestInfo))\s*\(/Osi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30934; reference:cve,2008-3892; classtype:attempted-user; sid:14611; rev:8; service:http; )
00629 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Macrovision InstallShield Update Service Agent ActiveX function call"; flow:to_client,established; file_data; content:"DWUSWebAgent.WebAgent"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31235; reference:cve,2008-2470; classtype:attempted-user; sid:14765; rev:8; service:http; )
00630 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Autodesk LiveUpdate ActiveX clsid access"; flow:to_client,established; file_data; content:"89EC7921-729B-4116-A819-DF86A4A5776B"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*89EC7921-729B-4116-A819-DF86A4A5776B\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(ApplyPatch)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|\x26\x23039\x3b|)\s*clsid\s*\x3a\s*{?\s*89EC7921-729B-4116-A819-DF86A4A5776B\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|\x27|\x26\x23039\x3b|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(ApplyPatch))\s*\(/Osi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31490; reference:cve,2008-4472; classtype:attempted-user; sid:14748; rev:8; service:http; )
00631 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Lotus Domino Web Access ActiveX Controls buffer overflow attempt"; flow:to_client,established; file_data; isdataat:1024; content:"ctrl.InstallBrowserHelperDll",nocase; content:"General_ServerName",nocase; content:!">",within 1024; pcre:"/(3BFFE033-BF43-11d5-A271-00A024A51325|iNotes6\.iNotes6|E008A543-CEFB-4559-912F-C27C2B89F13B|dwa7\.dwa7|983A9C21-8207-4B58-BBB8-0EBC3D7C5505|dwa85?\.dwa85?|75AA409D-05F9-4f27-BD53-C7339D4B1D0A)/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38457; reference:cve,2010-0919; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21421808; classtype:attempted-user; sid:17545; rev:4; service:http; )
00632 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Office Data Source Control 11.0 ActiveX clsid access"; flow:to_client,established; file_data; content:"0002E55B-0000-0000-C000-000000000046"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E55B-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DeleteRecordSourceIfUnused)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E55B-0000-0000-C000-000000000046\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DeleteRecordSourceIfUnused))\s*\(/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19069; reference:bugtraq,24462; reference:cve,2006-3729; reference:url,browserfun.blogspot.com/2006/07/mobb-19-datasourcecontrol.html; reference:url,osvdb.org/show/osvdb/27111; classtype:attempted-user; sid:8723; rev:11; service:http; )
00633 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS OWC11.DataSourceControl.11 ActiveX function call access"; flow:to_client,established; file_data; content:"OWC11.DataSourceControl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC11\.DataSourceControl(\.\d+)?\x22|\x27OWC11\.DataSourceControl(\.\d+)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC11\.DataSourceControl(\.\d+)?\x22|\x27OWC11\.DataSourceControl(\.\d+)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,19069; reference:cve,2006-3729; reference:url,browserfun.blogspot.com/2006/07/mobb-19-datasourcecontrol.html; reference:url,osvdb.org/show/osvdb/27111; classtype:attempted-user; sid:9820; rev:10; service:http; )
00634 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX function call access"; flow:to_client,established; file_data; content:"Altiris.AeXNSPkgDL",nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22Altiris\.AeXNSPkgDL(\.\d)?\x22|\x27Altiris\.AeXNSPkgDL(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Download|DownloadAndInstall)\s*|.*(?P=v)\s*\.\s*(Download|DownloadAndInstall)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Altiris\.AeXNSPkgDL(\.\d)?\x22|\x27Altiris\.AeXNSPkgDL(\.\d)?\x27)\s*\)(\s*\.\s*(Download|DownloadAndInstall)\s*|.*(?P=n)\s*\.\s*(Download|DownloadAndInstall)\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36346; reference:cve,2009-3028; classtype:attempted-user; sid:17094; rev:4; service:http; )
00635 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX clsid access"; flow:to_client,established; file_data; content:"63716E93-033D-48B0-8A2F-8E8473FD7AC7",nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*63716E93-033D-48B0-8A2F-8E8473FD7AC7\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Download|DownloadAndInstall)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*63716E93-033D-48B0-8A2F-8E8473FD7AC7\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Download|DownloadAndInstall))/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36346; reference:cve,2009-3028; classtype:attempted-user; sid:17092; rev:4; service:http; )
00636 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS IBM Access Support ActiveX clsid access"; flow:to_client,established; file_data; content:"74FFE28D-2378-11D5-990C-006094235084"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*74FFE28D-2378-11D5-990C-006094235084\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetXMLValue)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*74FFE28D-2378-11D5-990C-006094235084\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetXMLValue))/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34228; reference:cve,2009-0215; classtype:attempted-user; sid:16746; rev:5; service:http; )
00637 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Aurigma Image Uploader unspecified 31 ActiveX clsid access"; flow:to_client,established; file_data; content:"D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q49>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6\s*}?\s*(?P=q49)(\s|>)/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14148; rev:10; service:http; )
00638 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Silverlight privilege escalation attempt"; flow:to_client,established; file_data; content:"System.Net.Sockets|00|SocketAsyncEventArgs",nocase; content:"MemberwiseClone",distance 0,fast_pattern,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0014; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-016; classtype:attempted-admin; sid:21299; rev:5; service:http; service:imap; service:pop3; )
00639 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Oracle Java browser plugin docbase overflow attempt"; flow:to_client,established; file_data; content:"name=|22|docbase|22| value=|22 27| + ",nocase; content:"sBoF",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,44023; reference:cve,2010-3552; reference:url,osvdb.org/show/osvdb/68873; classtype:attempted-user; sid:18245; rev:6; service:http; )
00640 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"40EC20B2-61B4-4cdd-B4BD-F1E462C0E398"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-3807; classtype:attempted-user; sid:24525; rev:1; service:http; )
00641 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"C668B648-A2BD-432C-854F-C8C0A275E1F1"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-3808; reference:cve,2012-3809; reference:cve,2012-3810; classtype:attempted-user; sid:24526; rev:1; service:http; )
00642 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"7650BC47-036D-4D5B-95B4-9D622C8D00A4"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-3806; classtype:attempted-user; sid:24527; rev:1; service:http; )
00643 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Samsung Kies arbitrary file execution attempt"; flow:to_client,established; file_data; content:"1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-3807; reference:cve,2012-3809; reference:cve,2012-3810; classtype:attempted-user; sid:24528; rev:1; service:http; )
00644 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_client; file_data; content:"0D080D7D-28D2-4F86-BFA1-D582E5CE4867"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(LaunchInstaller)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D080D7D-28D2-4F86-BFA1-D582E5CE4867\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(LaunchInstaller))/siO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58134; reference:cve,2013-0108; reference:url,osvdb.org/show/osvdb/90583; classtype:attempted-user; sid:26193; rev:2; service:http; service:imap; service:pop3; )
00646 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Google Apps mailto URI argument injection attempt"; flow:to_client,established; file_data; content:"|22|%20--domain=|22|",nocase; content:"--renderer-path|3D|",nocase; content:"%20--no-sandbox%20"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36581; classtype:attempted-user; sid:26250; rev:1; service:http; )
00647 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Metalink file download parameter buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.metalink; file_data; content:"<url"; content:"http://",within 100; isdataat:1024,relative; content:!"</url",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-1602; classtype:attempted-user; sid:26421; rev:1; service:http; service:imap; service:pop3; )
00648 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS AwingSoft Winds3D Player SceneURL method command execution attempt"; flow:to_client,established; file_data; content:"clsid|3A|17A54E7D-A9D4-11D8-9552-00E04CB09903"; content:"|3C|param name|3D 22|SceneURL|22| value|3D 22|http|3A 2F 2F|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-2386; reference:cve,2009-4850; classtype:attempted-user; sid:16785; rev:4; service:http; )
00649 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Siemens SIMATIC WinCC RegReader ActiveX vulnerable function access attempt"; flow:established,to_client; file_data; content:"3384F595-9B10-4139-9893-7E4CB1F11875"; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3384F595-9B10-4139-9893-7E4CB1F11875\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(OpenConnection)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3384F595-9B10-4139-9893-7E4CB1F11875\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(OpenConnection))/siO"; metadata:policy security-ips drop,service http; reference:cve,2013-0674; reference:url,osvdb.org/show/osvdb/91311; classtype:attempted-user; sid:26497; rev:1; service:http; )
00650 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Siemens SIMATIC WinCC RegReader ActiveX vulnerable function access attempt"; flow:established,to_client; file_data; content:"WebClientInstall.RegReader"; pcre:"/(?P<c>\w+)\s*=\s*(\x22WebClientInstall\.RegReader(\.\d*)?\x22|\x27WebClientInstall\.RegReader(\.\d*)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*OpenConnection\s*|.*(?P=v)\s*\.\s*OpenConnection\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WebClientInstall\.RegReader(\.\d*)?\x22|\x27WebClientInstall\.RegReader(\.\d*)?\x27)\s*\)(\s*\.\s*OpenConnection\s*|.*(?P=n)\s*\.\s*OpenConnection\s*)/smiO"; metadata:policy security-ips drop,service http; reference:cve,2013-0674; reference:url,osvdb.org/show/osvdb/91311; classtype:attempted-user; sid:26498; rev:1; service:http; )
00651 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_client,established; file_data; content:"jnlp",nocase; content:"<applet-desc"; content:"param",distance 0; content:"__applet_ssv_validated",within 50; content:"true",within 100,distance -50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:attempted-user; sid:26524; rev:3; service:http; service:imap; service:pop3; )
00653 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt"; flow:established,to_client; file_data; content:"HSCRemoteDeploy.RemoteInstaller"; pcre:"/(?P<c>\w+)\s*=\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=v)\s*\.\s*LaunchInstaller\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x22|\x27HSCRemoteDeploy\.RemoteInstaller(\.\d*)?\x27)\s*\)(\s*\.\s*LaunchInstaller\s*|.*(?P=n)\s*\.\s*LaunchInstaller\s*)/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58134; reference:cve,2013-0108; reference:url,osvdb.org/show/osvdb/90583; classtype:attempted-user; sid:26573; rev:1; service:http; service:imap; service:pop3; )
00655 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Java security warning bypass through JWS attempt"; flow:to_client,established; file_data; content:"jnlp_embedded"; content:"value",within 10; base64_decode:bytes 1000,offset 2, relative; base64_data; content:"jnlp",nocase; content:"<applet-desc"; content:"param",distance 0; content:"__applet_ssv_validated",within 50; content:"true",within 100,distance -50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:attempted-user; sid:26646; rev:3; service:http; service:imap; service:pop3; )
00658 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari WebKit menu onchange memory corruption attempt"; flow:to_client,established; file_data; content:"window.layoutTestController"; content:"eventSender.keyDown|28 22|e|22 29 3B|",distance 0; content:"eventSender.keyDown|28 22 5C|r|22 2C 20 5B 5D 29 3B|",distance 0; content:"document.body.offsetTop|3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43083; reference:cve,2010-1814; classtype:attempted-user; sid:19009; rev:3; service:http; )
00659 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit run-in use-after-free attempt"; flow:to_client,established; file_data; content:"p|20 7B 20|display|3A 20|run|2D|in|20 7D|"; content:"document.getElementById|28 22|run|2D|in|22 29 2E|appendChild|28|child|29 3B|"; content:"document.getElementById|28 22|test|22 29|.appendChild|28|document.getElementById|28 22|sibling|22 29 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43049; reference:cve,2010-1806; classtype:attempted-user; sid:19004; rev:3; service:http; )
00660 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit run-in use-after-free attempt"; flow:to_client,established; file_data; content:"elem.setAttribute|28 22|style|22 2C 20 22|display|3A 20|run|2D|in|22 29 3B|"; content:"document.getElementById|28 22|run|2D|in|22 29 2E|appendChild|28|elem|29 3B|"; content:"document.getElementById|28 22|output|22 29|.appendChild|28|document.getElementById|28 22|block-sibling|22 29 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43049; reference:cve,2010-1806; classtype:attempted-user; sid:19003; rev:3; service:http; )
00661 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit removeAllRanges use-after-free attempt"; flow:to_client,established; file_data; content:"window|2E|getSelection|28 29 2E|selectAllChildren"; content:"style|2E|display|20 3D 20 27|none|27|",distance 0; content:"window|2E|getSelection|28 29 2E|removeAllRanges",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43079; reference:cve,2010-1812; classtype:attempted-user; sid:18995; rev:3; service:http; )
00662 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari WebKit range object remote code execution attempt"; flow:to_client,established; file_data; content:"document.addEventListener(|22|DOM",nocase; content:".innerHTML|20 3D|",distance 0,nocase; content:"document.createRange|28 29 3B|",distance 0,nocase; content:".extractContents|28 29 3B|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,46746; reference:cve,2011-0115; classtype:attempted-user; sid:18770; rev:4; service:http; )
00663 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|img width=0.3133731337313373133731337"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:18295; rev:3; service:http; )
00664 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"var Overflow = |22|31337|22 20 2B 20|0|2E|313373133731337313373133731337"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:18294; rev:4; service:http; )
00665 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit floating point buffer overflow attempt"; flow:to_client,established; file_data; content:"var pi=3+0.14159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852"; content:"document.write|28 22|Area = pi*|28|r^2|29 22|+pi*|28|radius*radius|29 29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36023; reference:cve,2009-2195; classtype:attempted-user; sid:16145; rev:3; service:http; )
00666 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari innerHTML use after free exploit attempt"; flow:to_client,established; file_data; content:"setTimeout",nocase; content:"document.body.innerHTML",distance 0,nocase; content:"document.getElementById(",distance 0,nocase; content:".innerHTML",distance 0,nocase; pcre:"/setTimeout.*?\x7b[^\x7d]*document\.body\.innerHTML.*?\x7d.*document\.getElementById\x28(?P<q1>\x22|\x27|)(?P<m1>\w+?)(?P=q1)\x29\.innerHTML.*?div\s+id\s*\x3d\s*(?P<q2>\x22|\x27|)(?P=m1)(?P=q2)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,48844; reference:cve,2011-0221; classtype:attempted-user; sid:21189; rev:2; service:http; )
00667 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Microsoft Windows 7 x64 Apple Safari abnormally long iframe exploit attempt"; flow:to_client,established; file_data; content:"<iframe",fast_pattern,nocase; content:"height|3D|",within 50,nocase; pcre:"/<iframe[^>]*?height\x3d\s*[\x22\x27]?\s*[0-9]{6}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,51122; reference:cve,2011-5046; reference:url,osvdb.org/show/osvdb/77908; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-008; classtype:attempted-dos; sid:20999; rev:9; service:http; )
00668 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari Webkit floating point conversion memory corruption attempt"; flow:to_client,established; file_data; content:"debug|28 2D|parseFloat|28 22|NAN|28|ffffe"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,43047; reference:cve,2010-1807; classtype:attempted-user; sid:19008; rev:3; service:http; )
00669 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-WEBKIT Apple Safari WebKit ParentStyleSheet exploit attempt"; flow:to_client,established; file_data; content:".sheet.rules["; pcre:"/getElementById\(\x22(.*?)\x22\)\.sheet\.rules\[\d+\].*?([A-Z\d_]+)\s*=\s*document\.getElementById\(\x22\1\x22\).*?\s+\2\.parentElement/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,svnsearch.org/svnsearch/repos/WEBKIT/search?logMessage=51993; classtype:attempted-user; sid:18508; rev:4; service:http; )
00671 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure"; flow:to_client,established; file_data; content:"<script>try{"; content:"++",within 20,nocase; content:"}catch(",within 10,nocase; content:"}catch(",within 50; pcre:"/\x3cscript\x3etry\x7b\w+\x2b\x2b([^\x7d]{1,4})?\x7dcatch\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:24054; rev:6; service:http; service:imap; service:pop3; )
00672 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure"; flow:to_client,established; file_data; content:"<html><body><applet/code=|22|"; content:"/archive=|22|",within 20; content:".jar",within 20; content:"<param/nam=",within 20; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:24053; rev:3; service:http; service:imap; service:pop3; )
00674 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole redirection page"; flow:to_client,established; file_data; content:"width|3D 27|10|27| height|3D 27|10|27| style|3D 27|visibility|3A|hidden|3B|position|3A|absolute|3B|left|3A|0|3B|top|3A|0|3B 27 3E 3C 2F|iframe|3E 22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,www.urlquery.net/report.php?id=113788; classtype:trojan-activity; sid:23797; rev:3; service:http; service:imap; service:pop3; )
00675 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure - Math.round catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"Math.round",within 50,nocase; content:"}catch(",within 10,nocase; pcre:"/Math\x2eround([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23786; rev:5; service:http; service:imap; service:pop3; )
00676 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure - Math.floor catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"Math.floor",within 50,nocase; content:"}catch(",within 10,nocase; pcre:"/Math\x2efloor([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23785; rev:5; service:http; service:imap; service:pop3; )
00677 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page"; flow:to_client,established; file_data; content:"<html><body><script>z=function(){"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:23781; rev:3; service:http; service:imap; service:pop3; )
00679 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page download attempt"; flow:to_client,established; file_data; content:"<h",nocase; content:"><b>Please wait a moment. You will be forwarded..",within 54,distance 1,nocase; content:"</h",within 10; content:"></b>|0D 0A|",within 7,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:23159; rev:5; service:http; service:imap; service:pop3; )
00680 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure - prototype catch"; flow:to_client,established; file_data; content:"prototype-"; content:"}catch(",distance 0; pcre:"/prototype\x2d([^\x7d]{1,5})?\x7dcatch\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:23158; rev:3; service:http; service:imap; service:pop3; )
00682 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing redirection page"; flow:to_client,established; file_data; content:"document.location|3D 27|http|3A 2F 2F|"; content:"showthread.php?t=",distance 0; pcre:"/showthread\.php\?t\=[a-f0-9]{16}\x27\x3b/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:22041; rev:4; service:http; )
00683 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole suspected landing page"; flow:to_client,established; file_data; content:"ype|22|].q}catch("; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,research.zscaler.com/2012/04/multiple-hijacking.html; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:22040; rev:3; service:http; )
00684 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole suspected landing page"; flow:to_client,established; file_data; content:"Please|3A|wait|3A|page|3A|is|3A|loading"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:22039; rev:3; service:http; )
00685 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole Exploit landing page with specific structure - Loading"; flow:to_client,established; file_data; content:"|0D 0A 0D 0A|<h1><b>Loading...Please Wait...</b>|0D 0A 0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:trojan-activity; sid:21876; rev:4; service:http; service:imap; service:pop3; )
00686 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific structure - catch"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"}catch(qq"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:21661; rev:4; service:http; service:imap; service:pop3; )
00689 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole possible landing page"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"<span style=|22|display:none|3B 22|>safsaf(|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21658; rev:3; service:http; service:imap; service:pop3; )
00690 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole Applet landing page"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><applet/"; content:"archive=",distance 0; content:"code=",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21657; rev:3; service:http; service:imap; service:pop3; )
00691 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific header"; flow:to_client,established; file_data; content:"<h3>Page is loading, please wait..</h3>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21549; rev:4; service:http; service:imap; service:pop3; )
00692 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page with specific header"; flow:to_client,established; file_data; content:"<h1>Loading ... Please Wait.... </h1>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21539; rev:4; service:http; service:imap; service:pop3; )
00696 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit response"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"window.document"; content:"split"; pcre:"/\d{1,3}(.)\d{1,3}\1\d{1,3}\1\d{1,3}\1\d{1,3}\1/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21259; rev:3; service:http; )
00697 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT possible Blackhole landing page"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><script>|0D 0A|if(window.document)"; pcre:"/(,\d{1,3}){20}/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21045; rev:3; service:http; )
00698 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT possible Blackhole landing page"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><script>"; content:"new Date().getDay"; pcre:"/(#\d{1,2}){20}/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21044; rev:3; service:http; )
00702 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Fake transaction redirect page to exploit kit"; flow:to_client,established; file_data; content:"<h2>Wait your order</h2>"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,stopmalvertising.com/spam-scams/paypal-payment-notification-leads-to-blackhole-exploit-kit.html; classtype:attempted-user; sid:23141; rev:3; service:http; )
00703 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Possible exploit kit post compromise activity - taskkill"; flow:to_client,established; file_data; content:"exec "; content:"taskkill /F /IM"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:successful-user; sid:21875; rev:4; service:http; )
00704 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Possible exploit kit post compromise activity - StrReverse"; flow:to_client,established; file_data; content:"Createobject(StrReverse("; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:successful-user; sid:21874; rev:4; service:http; )
00705 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sakura exploit kit rhino jar request"; flow:to_client,established; file_data; content:"archive='rhin.jar'"; content:"archive='Goo.jar'",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:url,xylibox.blogspot.com/2012/01/another-sakura-kit.html; classtype:attempted-user; sid:21509; rev:2; service:http; )
00707 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Crimepack exploit kit landing page"; flow:to_client, established; file_data; content:"charCodeAt(0)+13)?c:c-26)|3B|}).replace(/@/g,'A').replace(/!/g,'B').replace(/#/g,'C')"; content:"= 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='|3B|"; pcre:"/var ([^\s]+) = ''\x3Bvar ([^,]+), ([^,]+).*\1 = \1 \+ String\.fromCharCode\(\2\).*\!= 64\) \{ \1 = \1 \+ String\.fromCharCode\(\3\)\x3b\}.*\x3breturn unescape\(\1\)\x3b\}return 0\x3b\}/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:attempted-user; sid:21098; rev:3; service:http; )
00709 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Eleanore exploit kit landing page"; flow:to_client, established; file_data; content:"X-Powered-By|3A| PHP/5.2.0|0D 0A|Content-type|3A| text/html|0D 0A 0D 0A|?>X-Powered-By|3A| PHP/5.2.0|0D 0A|"; content:"?>X-Powered-By: PHP/5.2.0",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21068; rev:3; service:http; )
00713 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT RedKit Landing Page Received - applet and 5 digit jar attempt"; flow:to_client,established; file_data; content:"<applet"; pcre:"/<applet[^>]+(archive|src)\s*?=\s*?(\x22|\x27|)\s*?(\d{5}\.jar|[^>]+\/\d{5}\.jar)/smi"; metadata:policy balanced-ips alert,policy security-ips alert,service http,service imap,service pop3; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23222; rev:7; service:http; service:imap; service:pop3; )
00715 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT RedKit Landing Page Received - applet and flowbit"; flow:to_client,established; flowbits:isset,kit.redkit; file_data; content:"<applet"; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23225; rev:5; service:http; )
00725 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT SET java applet load attempt"; flow:to_client,established; file_data; content:"<applet width=|22|1|22| height=|22|1|22|",fast_pattern; content:"<param name=|22|WINDOWS|22| value=",distance 0,nocase; content:"<param name=|22|OSX|22| value=",distance 0,nocase; content:"<param name=|22|LINUX|22| value=",distance 0,nocase; content:"<param name=|22|64|22| value=",distance 0,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; classtype:attempted-user; sid:23106; rev:3; service:http; )
00729 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Crimepack exploit kit control panel access"; flow:to_client, established; file_data; content:"<title>CRiMEPACK"; pcre:"/<title>CRiMEPACK [\d\.]+</title>/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:policy-violation; sid:21096; rev:4; service:http; )
00731 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Suspicious taskkill script - StrReverse"; flow:to_client,established; file_data; content:"|22|taskkill"; content:"StrReverse",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23147; rev:3; service:http; )
00732 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Suspicious StrReverse - Shell"; flow:to_client,established; file_data; content:"StrReverse|28 22|llehS"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23148; rev:3; service:http; )
00733 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Suspicious StrReverse - Scripting.FileSystemObject"; flow:to_client,established; file_data; content:"StrReverse|28 22|tcejbOmetsySeliF.gnitpircS"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23149; rev:3; service:http; )
00734 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page received"; flow:to_client,established; file_data; content:"value="; content:"N0b09090",within 10; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24226; rev:3; service:http; )
00735 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 - Landing Page Received"; flow:to_client,established; file_data; content:"<applet"; content:".php?",distance 0; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{10,64}&[a-z]{2,12}=.*?&[a-z]{2,12}=/"; metadata:policy balanced-ips alert,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24228; rev:4; service:http; )
00736 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Crimeboss exploit kit redirection attempt"; flow:to_client,established; file_data; content:"if(navigator.javaEnabled()) {"; content:"document.write(",within 30; content:"php?",within 75; pcre:"/(action|setup)=[a-z]{1,4}/Ri"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24231; rev:2; service:http; )
00740 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Unknown exploit kit redirection page"; flow:to_client,established; file_data; content:"<script",nocase; content:"|3D 22|constructor|22 3B|var|20|",distance 0,fast_pattern,nocase; content:"|27 3B|var appVersion_var|3D 22|",distance 0,nocase; content:"].apply(document_body_var,[",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,jsunpack.jeek.org/?report=bf7e015d53808a6e94365139395d4d29e5d41840; classtype:trojan-activity; sid:24344; rev:1; service:http; service:imap; service:pop3; )
00744 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page download attempt"; flow:to_client,established; file_data; content:"<h3>Internet Explorer or Mozilla Firefox compatible only </h3><br>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:24546; rev:2; service:http; service:imap; service:pop3; )
00745 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page download attempt"; flow:to_client,established; file_data; content:"<script>",nocase; content:"try{",within 20,nocase; content:"}catch(",within 20,nocase; content:"try{",within 20; content:"}catch(",within 20; content:"=new Array(",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24547; rev:2; service:http; )
00746 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page download attempt"; flow:to_client,established; file_data; content:"<script>",nocase; content:"try{",within 20,nocase; content:"}catch(",within 20,nocase; content:"try{",within 20; content:"}catch(",within 20; content:"=window[",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24548; rev:2; service:http; )
00747 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page received - specific structure"; flow:to_client,established; file_data; content:"<html><head><title></title></head><body><div ",depth 60; pcre:"/body\x3e\x3cdiv\s[a-z]{3}\x3d\x22[a-z]{3}\x22/"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24593; rev:3; service:http; service:imap; service:pop3; )
00750 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 redirection page - specific structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer compatible only</h4><br>|0D 0A 0D 0A 0D 0A|<script>try"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24637; rev:2; service:http; service:imap; service:pop3; )
00752 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT KaiXin pack attack vector attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|C0 B0 2F AC 50 78 D3 F3 C2 0E 4D 5F 94 8B 96 2D CC 52 DA 88 8C B4 61 A4 52 FA 06 DC C4 F1 38 63|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24667; rev:2; service:http; service:imap; service:pop3; )
00753 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT KaiXin pack attack vector attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|CF EC E2 69 76 F1 35 BB 78 9B 5D FC CD 2E 1E 67 17 9F B3 8B D7 D9 C5 EF EC E2 79 76 F1 3D BB 78|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24668; rev:2; service:http; service:imap; service:pop3; )
00763 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT KaiXin Exploit Kit Java Class download"; flow:to_client,established; file_data; content:"PK",depth 2; content:"GondadGondadExp.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; reference:url,urlquery.net/report.php?id=222114; classtype:trojan-activity; sid:24793; rev:2; service:http; service:imap; service:pop3; )
00765 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange landing page - specific structure"; flow:to_client,established; file_data; content:"<meta name=|22|keywords|22| content=|22 22| />"; content:"<title>Blob",within 30; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:24839; rev:2; service:http; )
00766 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange landing page - JAR redirection"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:"|22| code=|22|",within 12,distance 6; content:"|22| width|3D 22|",within 12,distance 9; content:"|22| height|3D 22|",within 12; content:"|0D 0A|<param",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:24840; rev:2; service:http; )
00768 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page - specific-structure"; flow:to_client,established; file_data; content:"<h1><b>Please wait... You will be forwarded..."; content:"</h1></b>",within 11; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24860; rev:2; service:http; service:imap; service:pop3; )
00770 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page - specific-structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24862; rev:2; service:http; service:imap; service:pop3; )
00772 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page - specific-structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer/Mozilla Firefox compatible only</h4><br>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24864; rev:2; service:http; service:imap; service:pop3; )
00774 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Nuclear Exploit Kit landing page detected"; flow:to_client,established; file_data; content:"{if(typeof"; content:"))|3B|}}return this|3B|}",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681; classtype:trojan-activity; sid:24888; rev:2; service:http; )
00781 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange landing page - specific structure"; flow:to_client,established; file_data; content:"<meta name=|22|keywords|22| content=|22 22| />"; content:"<title>Collocation",within 30; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:25044; rev:1; service:http; )
00788 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit redirection attempt"; flow:to_client,established; file_data; content:"<iframe name="; content:"=auto frameborder=no align=center height=2 width=2 src=http|3A|//",within 75,distance 10; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:25255; rev:2; service:http; )
00789 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT redirect to malicious java archive attempt"; flow:to_client,established; file_data; content:"|3C|applet archive|3D 22 2F|read|2F|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25301; rev:3; service:http; )
00790 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit landing page detected"; flow:to_client,established; file_data; content:"<div class=|27|"; content:"=)</div>",within 45; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25324; rev:2; service:http; )
00791 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit malicious jar file dropped"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"mac.classPK",nocase; content:"test.classPK",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25382; rev:2; service:http; service:imap; service:pop3; )
00798 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:"|22| code=|22|",within 15,distance 5; content:".class|22| width=|22|",within 30,distance 5; content:"|22| height=|22|",within 25; content:"<param",within 25; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:25389; rev:1; service:http; )
00799 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<h1>Open your server</h1>"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:25390; rev:1; service:http; )
00800 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Red Dot landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22| code=|22|",within 12,distance 1; content:"width=|22|100|22| height=|22|100|22|>",within 50; content:"<param name|22|guid"; content:"|22| value=|22|",within 10; content:"<param name=|22|thread"; content:"|22| value=|22|",within 10; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25538; rev:1; service:http; )
00803 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit redirection"; flow:to_client,established; file_data; content:"{ var"; content:"= document.createElement(|27|iframe|27|)|3B|"; content:".src = |27|http|3A 2F 2F|"; content:"|27 3B| ",distance 0; content:".style.position = |27|absolute|27 3B|",distance 0; content:".style.border = |27|0|27 3B| ",distance 0; content:".style.height = |27|1px|27 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:25558; rev:3; service:http; )
00805 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT JDB Exploit kit landing page"; flow:to_client,established; file_data; content:"setTimeout(|22|alert(|27|Adobe Flash must be updated to view this, please install the latest version!|27|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25560; rev:1; service:http; )
00806 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT JDB Exploit Kit landing page"; flow:to_client,established; file_data; content:"<applet width=|27|0px|27| height=|27|0px|27| code=|22|"; content:"|22| archive=|22|data",within 50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25561; rev:1; service:http; )
00808 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 Exploit Kit landing page"; flow:to_client,established; file_data; content:"<PARAM VALUE=|22|"; content:"|22| NAME=|22|CODE|22|><PARAM NAME=|22|ARCHIVE|22| VALUE=|22|",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25569; rev:1; service:http; )
00809 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole v2 landing page - specific structure"; flow:to_client,established; file_data; content:"<h5>Internet Explorer and Mozilla Firefox compatible only</h5><br>"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:25590; rev:2; service:http; )
00810 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole landing page - specific structure"; flow:to_client,established; file_data; content:"<script>try"; content:"}catch(",within 50; content:"}try{if(",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:25591; rev:2; service:http; )
00812 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Oracle Java Unknown exploit kit java dropped file"; flow:to_client,established; file_data; content:"PK",depth 2; content:"XHbNaqRg.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:25651; rev:1; service:http; )
00813 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit kit jar file dropped"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"BurkinoGoso.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25803; rev:4; service:http; )
00816 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Whitehole Exploit Kit landing page"; flow:to_client,established; file_data; content:"document.write (|27|<iframe src=http|3A 2F 2F|"; content:".jar?java=98 width=10 height=10><param name=http value="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25806; rev:1; service:http; )
00817 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Fiesta exploit kit landing page detection - specific-structure"; flow:to_client,established; file_data; content:"<html><head><title>Please Wait...</title></head><body><script>function"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1723; reference:cve,2012-4681; classtype:trojan-activity; sid:25808; rev:3; service:http; )
00823 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit Java exploit download"; flow:to_client,established; file_data; content:"PK",depth 2; content:"SunJCE.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25858; rev:2; service:http; )
00824 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit landing page"; flow:to_client,established; file_data; content:"<applet"; content:"SunJCE.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25860; rev:2; service:http; )
00825 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit java exploit retrieval"; flow:to_client,established; file_data; content:"PK",depth 2; content:"arttqa.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.virustotal.com/en/file/762bb7087cbde34e8c4be5daf34732c280be7d30e4070fb159c09eb9dbccf5f0/analysis/; classtype:trojan-activity; sid:25861; rev:3; service:http; )
00826 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit java exploit retrieval"; flow:to_client,established; file_data; content:"PK",depth 2; content:"cpnakc.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.virustotal.com/en/file/762bb7087cbde34e8c4be5daf34732c280be7d30e4070fb159c09eb9dbccf5f0/analysis/; classtype:trojan-activity; sid:25862; rev:3; service:http; )
00827 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT redirection to driveby download"; flow:to_client,established; file_data; content:"/Home/index.php|22| width=1 height=1 scrolling=no></iframe>"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:25948; rev:3; service:http; )
00828 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit landing page"; flow:to_client,established; file_data; content:"try{document.body++|3B|}catch(q){"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25952; rev:2; service:http; )
00829 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit landing page"; flow:to_client,established; file_data; content:"<div id=|22|heap_allign|22|></div>|0D 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25953; rev:2; service:http; )
00830 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit former location - has been removed"; flow:to_client,established; file_data; content:"<b>ERROR 404 CONTENT</b>"; metadata:policy balanced-ips alert,policy security-ips alert,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25960; rev:2; service:http; )
00831 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT g01pack browser check attempt"; flow:to_client,established; file_data; content:"|21 28 2F 28|Firefox|7C|Chrome|7C|Linux|7C|Mac OS|29 2F|.test|28|navigator.userAgent|29 29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/01/30/speedtest-net-g01pack-exploit-kit/; classtype:trojan-activity; sid:25982; rev:2; service:http; )
00832 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_client,established; file_data; content:"<html><body><td><h1>Loading... Please Wait.</h1></td><script>document.write("; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:25988; rev:2; service:http; )
00833 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Gong Da exploit kit redirection page received"; flow:to_client,established; file_data; content:"+=|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22 3B|}catch(e){var"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:26013; rev:3; service:http; )
00835 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"<head><title></title></head><body><object WIDTH=|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:26031; rev:2; service:http; )
00836 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 iframe redirection attempt"; flow:to_client,established; file_data; content:"try{"; content:"++}catch(",within 15; content:"{try{",within 20; content:"}catch(",within 20; content:"=|22|",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:26033; rev:2; service:http; )
00840 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Crimeboss exploit kit - Java exploit download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"amor.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-4681; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26037; rev:1; service:http; )
00849 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit Kit landing page"; flow:to_client,established; file_data; content:"<html><head></head><body><applet code=|22|hw|22| archive=|22|http|3A|//"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26046; rev:2; service:http; )
00850 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit redirection structure"; flow:to_client,established; file_data; content:"<html><head><meta http-equiv=|22|refresh|22| content=|22|0|3B|url=http|3A 2F 2F|"; content:"|22|></meta></head></html>",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26047; rev:2; service:http; )
00851 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Styx Exploit Kit Landing Page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22 20|code=|22|",within 25; content:"|22 20|name=|22|",within 25; content:"|22|>|0D 0A|<param name=|22|",within 25; content:"|22 20|value=|22|http|3A 2F 2F|",within 25; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:26090; rev:2; service:http; )
00852 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool exploit kit landing page "; flow:to_client,established; file_data; content:"<applet code=|22|MyApplet.class|22| archive=|22|http|3A 2F 2F|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:26091; rev:1; service:http; )
00853 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:".class|22| width=|22|10|22| height=|22|9|22|>|0D 0A|<param value=|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26094; rev:2; service:http; )
00854 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"|3D 5B|0x9,0x9,0x2f,0x2a,0x2a,0xa,0x9,0x9,0x20,0x2a,0x20,"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26095; rev:1; service:http; )
00855 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"try{}catch("; content:"}try{",within 50; content:"}catch(",within 50; content:"|3B|n=|5B|",within 100; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26096; rev:4; service:http; )
00856 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit Java archive transfer"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"JHelper.classPK"; content:"Foo.classPK"; content:"JPlayer.classPK"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-1723; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26097; rev:1; service:http; )
00857 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit Java archive transfer"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"JHelper.classPK"; content:"JHelper.datPK"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0431; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26098; rev:1; service:http; )
00858 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit redirection page"; flow:to_client,established; file_data; content:"if (navigator.appName == |27|Microsoft Internet Explorer|27|) {"; content:"document.write(|27|<applet archive=|22|http|3A|//",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26099; rev:1; service:http; )
00859 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit redirection page"; flow:to_client,established; file_data; content:"<applet archive=|27|http|3A 2F 2F|"; content:"|27| code=|27|JHelper|27| width=|27|",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26100; rev:1; service:http; )
00860 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Crimeboss exploit kit redirection attempt"; flow:to_client,established; file_data; content:"navigator.javaEnabled()"; content:"document.write(|27|",within 100; content:"<script src=|22|",distance 0; pcre:"/\.js\/\?[a-z]+\=[a-z]{1,4}/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:26226; rev:1; service:http; )
00862 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool exploit kit redirection page"; flow:to_client,established; file_data; content:".jar|22| code=|22|MyApplet"; content:"|22|></applet><",distance 0; pcre:"/code\=\x22MyApplet(\.class)?\x22><\/applet/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26228; rev:2; service:http; )
00864 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:"<script>p=parseInt|3B|ss=String|3B|asgq="; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26232; rev:2; service:http; )
00865 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:"|22| code=|22|",within 25; content:".class|22|",within 25; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26233; rev:2; service:http; )
00866 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Impact exploit kit landing page"; flow:to_client,established; file_data; content:"<applet code=|22|"; content:".class|22| archive=|22|",distance 0; content:".jar|22| width=|22|1|22| height=|22|1|22|><param name=|22|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2010-0188; reference:cve,2012-1723; reference:cve,2012-5076; reference:cve,2013-0422; classtype:trojan-activity; sid:26252; rev:2; service:http; )
00867 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client,established; file_data; content:"<object classid=|22|clsid|3A|8AD9C840-044E-11D1-B3E9-00805F499D93|22| codebase=|22|"; content:"<param NAME=|22|ARCHIVE|22| VALUE=|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:26253; rev:1; service:http; )
00868 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool exploit kit redirection page"; flow:to_client,established; file_data; content:".jar|22| code="; content:"Applet|22|></applet><",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26254; rev:2; service:http; )
00871 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22| code=|22|",within 50; content:"|22| name=|22|",within 50; content:"<param name=|22|",within 20,distance 5; content:"|22| value=|22|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26296; rev:2; service:http; )
00872 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Styx exploit kit redirection page"; flow:to_client,established; file_data; content:"var"; content:"=|22|pdf|22|",within 25; content:"location.href=",within 250; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26297; rev:2; service:http; )
00873 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT CritX Exploit Kit redirection page"; flow:to_client,established; file_data; content:"<frame marginwidth=0 marginheight=0 frameborder=0 name=|22|TOPFRAME|22|"; content:"index.php?id="; content:"noresize>"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:26323; rev:2; service:http; )
00874 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"prototype|3B|}catch("; content:".substr",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26337; rev:1; service:http; )
00875 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"}catch(gdsg"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26338; rev:2; service:http; )
00877 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Nuclear exploit kit landing page"; flow:to_client,established; file_data; content:"<applet name="; content:" code=",within 100; content:" archive=",within 100; content:"http|3A 2F 2F|",within 50; content:".jar",distance 0; content:" codebase=",distance 0; pcre:"/[a-z0-9]{32}\.jar/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26341; rev:2; service:http; )
00878 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Nuclear exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<div class="; content:"retwretrewt",within 11,distance 1; content:">|3A|)"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26342; rev:2; service:http; )
00879 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Nuclear exploit kit landing page"; flow:to_client,established; file_data; content:"id="; content:"swf_id",within 6,distance 1; content:"<param name=",distance 0; content:"Play",within 4,distance 1; content:" value=",within 7,distance 1; content:"0",within 1,distance 1; content:"><embed src=",distance 1; content:"http|3A 2F 2F|",within 8,distance 1; content:".swf"; pcre:"/[a-z0-9]{32}\.jar/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26343; rev:2; service:http; )
00880 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit landing page redirection"; flow:to_client,established; file_data; content:"<applet archive="; content:".jar",distance 0; content:" code=",within 6,distance 1; content:"Application.class",within 17,distance 1; content:">",within 1,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26344; rev:3; service:http; )
00883 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit java exploit delivery"; flow:to_client,established; file_data; content:"Application.class"; content:"Fazan.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26348; rev:2; service:http; )
00886 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit landing page redirection"; flow:to_client,established; file_data; content:"<applet archive="; content:".jar",distance 0; content:" code=",within 6,distance 1; content:"Java.class",within 10,distance 1; content:">",within 1,distance 1; content:"<param name=",distance 0; content:"name",within 4,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26351; rev:3; service:http; )
00890 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 exploit kit jar file downloaded"; flow:to_client,established; file_data; content:"Suburb.class"; content:"Suburb013.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26434; rev:1; service:http; service:imap; service:pop3; )
00891 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple exploit kit malicious jar archive download"; flow:established,to_client; flowbits:isset,file.jar; file_data; content:"hw.classPK"; content:"test.classPK"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25302; rev:3; service:http; )
00892 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit jar file redirection"; flow:to_client,established; file_data; content:"<body><applet archive="; content:"http|3A 2F 2F|",within 8,distance 1; content:".jar",distance 0; content:"code=",distance 0; content:"hw",within 2,distance 1; content:"></applet>",within 10,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26506; rev:3; service:http; )
00893 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"(window[|22|qgq|22|](new Array("; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26507; rev:2; service:http; )
00895 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit java payload detection"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Bottom.class"; content:"Bottom10.class",distance 0; content:"Bottom11.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26509; rev:2; service:http; )
00896 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit pdf payload detection"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"evrewrwervwe"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26510; rev:2; service:http; )
00897 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sakura Exploit kit redirection structure"; flow:to_client,established; file_data; content:"<iframe id="; content:"frmstyle",within 8,distance 1; content:" src=",within 5,distance 1; content:"http|3A 2F 2F|",within 7,distance 1; content:" height=",within 250; content:"frameborder=0></iframe>",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-new-and-improved-cool-ek/; classtype:trojan-activity; sid:26511; rev:4; service:http; )
00898 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit java payload detection"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Big.class"; content:"Big010.class",distance 0; content:"Big011.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26512; rev:2; service:http; )
00899 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sakura exploit kit logo transfer"; flow:to_client, established; flowbits:isset,file.jpeg; file_data; content:"|FB 27 68 DE 2D D6 BF E0 AC BF B5 82 78 7B 5C F0|"; content:"|AE 6E 3C CD EE AE BF 33 F5 0F 58 D5 2D 74 3D 2A|",distance 0; content:"|04 67 82 31 5F 1F 7F C1 62 A7 D4 EC FC 71 FB 31|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,xylibox.blogspot.com/2012/01/another-sakura-kit.html; classtype:string-detect; sid:21510; rev:5; service:http; service:imap; service:pop3; )
00900 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Portable Executable downloaded with bad DOS stub"; flow:to_client,established; file_data; content:"MZ",depth 2; isdataat:62,relative; content:"|2F 2A 14 20|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http,service imap,service pop3; reference:url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-new-and-improved-cool-ek/; classtype:trojan-activity; sid:26526; rev:2; service:http; service:imap; service:pop3; )
00903 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple Exploit Kit landing page - specific structure"; flow:to_client,established; file_data; content:"jnlp_embedded"; content:"value=",distance 0; content:"PD",within 2,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26535; rev:4; service:http; )
00904 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Stamp Exploit Kit landing page"; flow:to_client,established; file_data; content:"<applet archive="; content:".jar",within 30,distance 5; content:" code=",within 30; content:".class",within 30,distance 5; content:" width=",within 30; content:" height=",within 25; content:"<param",within 25; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26536; rev:2; service:http; )
00905 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sakura exploit kit jar download detection"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Main.class"; content:"NOnoa.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26537; rev:1; service:http; )
00906 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sakura exploit kit landing page received"; flow:to_client,established; file_data; content:"<html><body></body><input id=|27|"; content:"|27| value=|27 25|",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26538; rev:1; service:http; )
00907 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sakura exploit kit pdf download detection"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<< /CreationDate (D|3A|20130404171020)>>"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26539; rev:1; service:http; )
00908 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"try{document.body-=12|3B|}catch(dv32r3)"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26540; rev:1; service:http; )
00911 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT unknown exploit kit script injection attempt"; flow:to_client,established; file_data; content:"|22|+escape|28|",depth 100; content:".charCodeAt|28|",distance 0; content:"</script>id=",within 64,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,threatpost.com/d-c-media-sites-hacked-serving-fake-av/; classtype:trojan-activity; sid:26591; rev:1; service:http; )
00912 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Impact/Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"/*reedjoll*/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26599; rev:1; service:http; )
00913 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Impact/Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"var sentleft=|7B|versoin|3A|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26600; rev:1; service:http; )
00914 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"|7B|catch(d21vd12v)"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26617; rev:1; service:http; )
00915 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Mutiple exploit kit landing page - specific structure"; flow:established,to_client; file_data; content:"<applet><param name=|22|jnlp_href|22| value=|22|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/; classtype:trojan-activity; sid:26653; rev:3; service:http; )
00916 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:established,to_client; file_data; content:"<applet"; content:"archive=",distance 0; content:" code=",within 25; content:" width=",within 25; content:" height=",within 25; content:"<param",within 50; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26804; rev:1; service:http; )
00917 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit encrypted binary download"; flow:to_client,established; flowbits:isset,java_user_agent; file_data; content:"|FB 67 1F 49|",depth 4; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26805; rev:1; service:http; )
00919 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_client,established; file_data; content:"|7C|secure|7C|length|7C|setStr|7C|getCookie|7C|setCookie|7C|indexOf|7C|v|7C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26807; rev:1; service:http; )
00926 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit landing page"; flow:to_client,established; file_data; content:"<script src="; content:"js/js.js",distance 1; content:"AdobeReader",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26893; rev:1; service:http; )
00933 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit landing page"; flow:to_client,established; file_data; content:"<applet width="; content:"0",within 1,distance 1; content:" height=",within 8,distance 1; content:"0",within 1,distance 1; content:" code=",within 6,distance 1; content:"site.avi",within 8,distance 1,nocase; content:" archive=",within 9,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26949; rev:2; service:http; )
00940 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Zuponcic Exploit kit redirection received"; flow:to_client,established; file_data; content:"<iframe style="; content:"z-index|3A| -1",within 11,distance 1; content:"scrolling="; content:"no",within 2,distance 1; content:"src=",within 4,distance 2; content:"http|3A 2F 2F|",within 7,distance 1; content:"mt",within 50,distance 10; content:" id=",within 4,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26960; rev:1; service:http; )
00941 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; content:"<html><body><script>"; content:"var",within 3,distance 1; content:"document.createElement"; content:"iframe",within 6,distance 2; content:".setAttribute(",distance 0; content:"document.body.appendChild(",distance 0,fast_pattern; pcre:"/var\s+(?P<variable>\w+)\=document\.createElement.*?\x3b(?P=variable)\.setAttribute.*?document\.body\.appendChild\x28(?P=variable)\x29/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26961; rev:2; service:http; )
00942 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flim exploit kit portable executable download"; flow:to_client,established; file_data; content:"|4F CF 6A BC A1 03 01 00 69|",depth 9; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26962; rev:1; service:http; )
00945 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"<link href=|27|"; content:".css|27| rel=|27|stylesheet|27|><link href=|27|",within 100; content:"{a={plugins|3A|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27026; rev:1; service:http; )
00949 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page - specific structure"; flow:to_client,established; file_data; content:"}catch(qwqw){"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:27067; rev:1; service:http; )
00950 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 malicious jar file download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Tretre.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27068; rev:1; service:http; )
00951 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 malicious portable executable download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"c|3A 5C|Soft|5C|cebhlpod.txt"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27069; rev:1; service:http; )
00954 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Nailed exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<html > <head > <title > Loading"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27078; rev:1; service:http; )
00955 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Nailed exploit kit landing page stage 2"; flow:to_client,established; file_data; content:"global_exploit_list[exploit_idx].resource"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27079; rev:1; service:http; )
00961 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Unknown Malvertising Exploit Kit Hostile Jar pipe.class"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"PK"; content:"|00|pipe.class",distance 0; content:"|00|inc.class",distance 0; content:"|00|fdp.class",distance 0,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:27085; rev:1; service:http; )
00963 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool/Styx exploit kit landing page"; flow:to_client,established; file_data; content:"for("; content:"=0|3B|",within 25; content:".value.length|3B|",within 100; content:".value.substr(",distance 0; pcre:"/for\x28(?P<var>\w+)\x3d0\x3b.*?\.value\.substr\x28(?P=var)\x2c2\x29/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html; classtype:trojan-activity; sid:27092; rev:1; service:http; )
00964 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Bjisad.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27106; rev:1; service:http; )
00965 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|00|Han.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27107; rev:1; service:http; )
00967 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Momomo.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27109; rev:1; service:http; )
00971 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Private Exploit Kit landing page"; flow:to_client,established; file_data; content:".value|3B| |09| var"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27141; rev:1; service:http; )
00972 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Private Exploit Kit landing page"; flow:to_client,established; file_data; content:"<html><head><script type=|27|text/javascript|27| src=|22|js/PluginDetect.js|22|>"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27142; rev:1; service:http; )
00973 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Private Exploit Kit landing page"; flow:to_client,established; file_data; content:"|27| value=|27|JTIw"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27143; rev:1; service:http; )
00975 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 landing page detected"; flow:to_client,established; file_data; content:"<OBJECT CLASSID=|22|clsid|3A|5852F5ED-8BF4-11D4-A245-0080C6F74284|22| width=|22|1|22| height=|22|1|22|><PARAM name=|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27241; rev:1; service:http; )
00976 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"counter.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:27242; rev:1; service:http; service:imap; service:pop3; )
00977 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"}catch(dgsgsdg"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27271; rev:1; service:http; )
00978 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Unknown exploit kit iframe redirection"; flow:established,to_client; file_data; content:"<iframe style=|22|position|3A|fixed|3B|top|3A|0px|3B|left|3A|-550px|3B 22| src="; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27273; rev:1; service:http; )
00980 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Cool Exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"|7D|catch(d21vd12v)"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:27592; rev:1; service:http; )
00981 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-EXECUTABLE Microsoft Windows afd.sys kernel-mode memory corruption attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|8B 45 FC 50 6A|"; byte_test:1,>,24,0,relative; content:"|8D 8D A0 FD FF FF 51 68 BB 20 01 00 8B 55 F8 52 FF 15 18|"; content:"|40 00|",within 2,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2005; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-080; classtype:attempted-admin; sid:20270; rev:7; service:http; service:imap; service:pop3; )
00982 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"MZ",depth 2; content:"JFIF",depth 4,offset 6; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1433; classtype:attempted-user; sid:23312; rev:3; service:http; service:imap; service:pop3; )
00983 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-EXECUTABLE Portable Executable multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"MZ|2D 6C 68|",depth 5; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1436; classtype:attempted-user; sid:23309; rev:3; service:http; service:imap; service:pop3; )
00984 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|D8 7B 7B 6F 6E B9 9B 95 BB 99 81 A8 E0 AF 32 23 75 57 DB AC 5C BD 34 A4 94 A6 E3 4A DC EF EB F5|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0151; classtype:attempted-user; sid:25357; rev:2; service:http; service:imap; service:pop3; )
00986 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-EXECUTABLE Ichitaro JSMISC32.dll dll-load exploit attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|83 EC 40 C7 04 24 54 4D 45 4D C7 44 24 04 4F 2E 4A 54 C7 44 24 08 44 00 00 00 8B C4 50 BB E8 C5 3F 21 FF 13 83 C4 40 E9 B2 BF FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0707; classtype:attempted-user; sid:26070; rev:2; service:http; service:imap; service:pop3; )
00990 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player malformed getPropertyLate actioncode attempt"; flow:to_client,established; file_data; content:",|BD 06|J|C6 01 01 80 C6 01 D6 D1 D2|O|97 06 01 D1|`|81 04|g|9D 08|f|9E 08|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3797; classtype:attempted-user; sid:16316; rev:10; service:http; service:imap; service:pop3; )
00991 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Actionscript Matrix3D.copyRawDataFrom buffer overflow attempt"; flow:to_client,established; file_data; content:"|A3 96 56 6C 5B B4 87 59 19 DB B6 A1 6B D8 B5 53 46 59 A7 6B 69 27 43 3C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0768; reference:url,www.adobe.com/support/security/bulletins/apsb12-05.html; classtype:attempted-user; sid:21535; rev:5; service:http; service:imap; service:pop3; )
00992 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Actionscript Matrix3D.copyRawDataFrom buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"RawDataFrom(new Vector.<Number>(), 0x41414141"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0768; reference:url,www.adobe.com/support/security/bulletins/apsb12-05.html; classtype:attempted-user; sid:21534; rev:5; service:http; service:imap; service:pop3; )
00993 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Actionscript Stage3D null dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|7D B3 D7 78 DB 3A 2A 4D 86 B6 13 34 B8 B5 57 1E 30 E6 35 54 75 3C 1E 57|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0768; reference:url,www.adobe.com/support/security/bulletins/apsb12-05.html; classtype:attempted-user; sid:21533; rev:4; service:http; service:imap; service:pop3; )
00994 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash player ActionScript ASnative function remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ASnative|00|"; content:"|96 16 00 07 03 00 00 00 07 2E 01 00 00 07 3A 08 00 00 07 02 00 00 00 08 02|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0559; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; classtype:attempted-user; sid:18420; rev:9; service:http; service:imap; service:pop3; )
00995 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript flash.geom.Point constructor memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|0A|flash.geom|06|Matrix|0B|setMaterial"; content:"|05|Point",distance 0; content:"|12|generateFilterRect|0B|applyFilter",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0578; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; classtype:attempted-user; sid:18503; rev:8; service:http; service:imap; service:pop3; )
00996 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash player content parsing execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ROPPayload|08|strToInt|09|shellcode"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,44503; reference:cve,2010-3654; classtype:attempted-user; sid:18992; rev:6; service:http; service:imap; service:pop3; )
00997 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player embedded JPG image height overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"FWS"; content:"|FF D8|",distance 0; content:"JFIF",distance 0; content:"|FF C0|",within 256; pcre:"/^...(..)?[\x80-\xff]/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,26951; reference:cve,2007-6242; classtype:attempted-admin; sid:13300; rev:6; service:http; service:imap; service:pop3; )
00998 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player SWF scene and label data memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|A8 15|"; content:"|8C 15|",within 2,distance 40; content:"|BF 14 7F 01 00 00|",within 6,distance 12; content:"|19 13|",within 2,distance 383; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13822; rev:7; service:http; service:imap; service:pop3; )
00999 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player SWF scene and label data memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|BF 15 84 03 00 00|"; content:"|BF 14|D|02 00 00|",within 6,distance 900; content:"?|13 1F 00 00 00|",within 6,distance 640; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13821; rev:7; service:http; service:imap; service:pop3; )
01000 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player SWF scene and label data memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|A8 15|"; content:"|BF 15 0C 00 00 00|",within 6,distance 45; content:"|BF 14 7F 01 00 00|",within 6,distance 12; content:"?|13 19 00 00 00|",within 6,distance 383; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,28695; reference:bugtraq,29386; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; classtype:attempted-user; sid:13820; rev:7; service:http; service:imap; service:pop3; )
01001 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Possible Adobe Flash ActionScript byte_array heap spray attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"ByteArray",nocase; content:"|04 0C 0C 0C 0C|",within 100; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,35759; reference:cve,2009-1862; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:attempted-user; sid:15729; rev:10; service:http; service:imap; service:pop3; )
01003 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH string heapspray flash file - likely attack"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"heapspray"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:23855; rev:2; service:http; service:imap; service:pop3; )
01004 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player X500 DistinguishedName property access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|6B 3E 35 2F D7 02 D4 F0 88 41 EB 67 C7 D7 4F A8 56 8C D8 A7 C4 A5 AE AD E9 15 CF AE F7 E0 74 47|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2039; reference:url,www.adobe.com/support/security/bulletins/apsb12-14.html; classtype:attempted-user; sid:23131; rev:3; service:http; service:imap; service:pop3; )
01005 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player X509 direct instantiation property access attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|2F 65 54 07 41 6C AD 12 37 3E 1A 37 A0 D9 F7 60 1F 29 07 AF FD D8 AD ED D7 08 31 52 76 8A 43 A8|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2039; reference:url,www.adobe.com/support/security/bulletins/apsb12-14.html; classtype:attempted-user; sid:23130; rev:3; service:http; service:imap; service:pop3; )
01006 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player SecureSocket use without Connect attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|3A 58 E6 FB 74 80 30 B8 BF 2C 54 5B F9 4D C8 B2 AB BA 3D 56 1C 6C F7 3D 9D D6 34 A0 52 7E F2 6A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2039; reference:url,www.adobe.com/support/security/bulletins/apsb12-14.html; classtype:attempted-user; sid:23129; rev:3; service:http; service:imap; service:pop3; )
01007 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player object confusion attempt"; flow:to_client,established; file_data; content:"|E2 41 76 26 4F 70 65 72 61 74 65 64 20 62 79 20 44 6F 53 57 46|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:22916; rev:3; service:http; service:imap; service:pop3; )
01008 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player object confusion attempt"; flow:to_client,established; file_data; content:"|74 F2 37 35 34 31 32 32 37 8C 4C 8C A3 B1 E3 E8 F0 22 70 3A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:22915; rev:3; service:http; service:imap; service:pop3; )
01009 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player object confusion attempt"; flow:to_client,established; file_data; content:"|FF 0F AA 70 2A B7 17 2A C1 3B 77 35 50 B9 6B 07 17 16 1D 92|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:22070; rev:3; service:http; service:imap; service:pop3; )
01010 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player object confusion attempt"; flow:to_client,established; file_data; content:"|11 B3 38 36 87 2D C0 BB 20 72 7C 49 54 35 83 87 FA C3 48 10|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:22069; rev:3; service:http; service:imap; service:pop3; )
01011 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Video invalid tag type attempt"; flow:to_client,established; file_data; content:"|FB 1A BD E9 6B F4 AE 37 BD 71 2F FA 02 BD EA 6D 5F A0 F4 8C 9D 06 A8 7A 55 CB F6 CC 39 E7 3B DF 9C 3F 7B 8A A4 DF 11 2A FE 88 50 1D A3 CE C2 32 42 E8 BB CA 2F 18 A1 DD D0 1E EC BC EE 1C 36 A6|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0773; classtype:attempted-user; sid:21654; rev:3; service:http; service:imap; service:pop3; )
01012 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player MP4 zero length atom attempt"; flow:to_client,established; file_data; content:"|4E 65 74 53 74 72 65 61 6D 09 72 65 70 72 6F 2E 6D 70 34 04 70 6C 61 79 0E 61 64 64 46 72 61 6D|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21338; rev:4; service:http; service:imap; service:pop3; )
01017 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt"; flow:to_client,established; file_data; content:"charAt|08|parseInt|09|writeByte|05|Array"; content:"4657530ACC0500007800055F00000FA000001801004",within 100,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20781; rev:3; service:http; service:imap; service:pop3; )
01018 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - namelist.xls"; flow:to_client,established; file_data; content:"Q1dTCswFAAB4nE1UbWxTZRQ+t73t+3btKN0YnawgU"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20780; rev:3; service:http; service:imap; service:pop3; )
01019 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - dear chu.rar"; flow:to_client,established; file_data; content:"Rar!"; content:"dear chu.doc",within 12,distance 48,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20779; rev:3; service:http; service:imap; service:pop3; )
01020 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt - economy.rar"; flow:to_client,established; file_data; content:"Rar!"; content:"Economy.doc",within 11,distance 48,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20778; rev:3; service:http; service:imap; service:pop3; )
01021 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash player ActionScript apply function memory corruption attempt"; flow:to_client,established; file_data; content:"|43 57 53 0A 2C 91 00 00 78 9C CD BD 77 60 54 D5 D6 3E 7C F6|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0558; reference:url,www.adobe.com/support/security/bulletins/apsb11-02.html; classtype:attempted-user; sid:18418; rev:10; service:http; service:imap; service:pop3; )
01022 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript callMethod type confusion attempt"; flow:to_client,established; file_data; content:"|01 00 00 00 08 1C 99 02 00 C4 FE 96 05 00 07 0C F5 4E 15 4C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,47314; reference:cve,2011-0611; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; classtype:attempted-user; sid:20131; rev:6; service:http; service:imap; service:pop3; )
01023 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D7 F3 DB DF 19 6F DB FC E6 F7 5F CF 2F BF 99 BE|"; content:"|78 F9 BB 3F 7D FD 27 7C F9 FE AB F9 7A 7C E5 D3|",within 16,distance 336; content:"|27 5F FD FC 7D 7D F7 FE 1F FC 7A 6B BF 7C 3F DF|",within 16,distance 288; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19071; rev:5; service:http; service:imap; service:pop3; )
01024 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player newfunction memory corruption exploit attempt"; flow:to_client,established; file_data; content:"CWS|09|"; content:"|3D BF CF FB CF 8B D6 E9 EE EA EA EA AA EA EA EA|",within 16,distance 94; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0197; reference:cve,2010-1297; classtype:attempted-admin; sid:19408; rev:5; service:http; service:imap; service:pop3; )
01025 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; file_data; content:"|33 0D 0A 43 57 53 0D 0A 31 0D 0A 0A 0D 0A 33 0D|"; content:"|0D 0A 34 0D 0A FE B3 6F 7D 0D 0A 33 0D 0A FC F1|",within 16,distance 320; content:"|32 0D 0A F5 CB 0D 0A 33 0D 0A 4B 7C F1 0D 0A 34|",within 16,distance 320; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19083; rev:4; service:http; service:imap; service:pop3; )
01026 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player memory corruption attempt"; flow:to_client,established; file_data; content:"|64 BF B2 5C 3B 6C 01 CC 94 D8 86 75 E0 13 57 80|"; content:"|00 1C 84 81 C9 80 77 6F 72 6B 50 6F 73 5F 6D 63|",within 16,distance 320; content:"|FD 8D AD 6D 92 AB 5A B5 AF EC 90 2F 1A 4C 2A 01|",within 16,distance 320; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19080; rev:7; service:http; service:imap; service:pop3; )
01027 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash authplay.dll memory corruption attempt"; flow:to_client,established; file_data; content:"|94 C5 F6 3F 3E E5 D9 7D 76 53 37 D9 10 62 28 06 8D 44 71|"; content:"|CC F3 6C A1 DC 0F DF DF EB F5 FD E7 8B 99 E7 99 39 73 E6 CC 99|",distance 0; content:"|EE 7E F1 F1 1E E9 C8 72 36 A9 3A 54 1F 2A 1A C4 58 B7 DB|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3654; reference:url,www.adobe.com/support/security/advisories/apsa10-05.html; classtype:attempted-user; sid:17808; rev:4; service:http; service:imap; service:pop3; )
01028 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash frame type identifier memory corruption attempt"; flow:to_client,established; file_data; content:"|0B 25 C9 92 0D 21 ED 48 87 65 30 3B 6D E1 D8 B4|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,15332; reference:cve,2005-2628; classtype:attempted-user; sid:17658; rev:10; service:http; service:imap; service:pop3; )
01029 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash ASnative command execution attempt"; flow:to_client, established; file_data; content:"|43 57 53 07 C5 01 00 00 78 DA 74 50 B1 4E C3 30 14 BC 38 A1 71 11 2A 52 55 29 0C FD 81 2E 2C B0 A2 B6 54 42 62 68 1A B5 1D BA 45 A6 44 25 22 89 A3 C4 20 F8 02 3A 75 8C D4 81 FF E1 9B 58 CA B3 9D 15 0F A7 77 E7 F7 CE E7 F7 01 FC 02 6C 03 0C 1C CC D8 89 4E B7 03 3A 91 43 30 EE 0D 08 A9 8A E2 38 12 DB 57 B1 4B EA EB F5 9B 92 38 F5 6E 74 43 B4 DF E0 1C 46 89 77 99 7C 12 19 44 5A 89 B2 4C 8B 5A 89 2C 4B 2A 4C 57 85 50 E9 7B 82 B8 92 52 61 2B F3 5C 14 CF 28 2B A9 A4 FA 2C 13 E4 22 2D 40 23 D4 B9 4A 54 54 C9 F2 21 13 BB 1A 0D 03 C7 B0 DF FF 66 F8 31 C4 19 1A E9 C0 75 3E 36 82 40 73 05 CE 7C 1D C4 C2 91 AE 7C 46 55 DB EB 2E 1B 07 EE 52 5B DC 1A 0B CF C8 67 A1 1D D4 9D 16 FE 19 0C BE C8 76 D1 78 F0 C0 3B 21 11 27 B0 C4 3F 5C E8 BD B8 23 B0 7C 8B 41 9B B5 E9 82 73 5F A7 E3 98 2C 16 CD A5 8D C5 3C C7 77 B5 D8 BD 0B 30 76 EF A9 DC 0F C9 65 BE 9E AE 66 F1 7C FA 18 42 BD A4 B5 5D A3 D9 86 B1 D3 6F 07 ED BF 7D EB C4 59 9B 2E C0 84 E8 1F 00 00 00 FF FF 03 00 89 17 52 74|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,32896; reference:cve,2008-5499; reference:url,www.adobe.com/support/security/bulletins/apsb08-24.html; classtype:attempted-user; sid:17606; rev:4; service:http; service:imap; service:pop3; )
01030 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player and Reader remote code execution attempt"; flow:to_client,established; file_data; content:"|6C 23 B1 63 9A 87 31 36 CC 6F DD BA 75 7F C7 D0|",depth 160,offset 144; content:"|9F 4E AA 98 1C 24 BF 33 AE 78 A5 58 32 B3 DE 54|",within 16,distance 352; content:"|05 7D 9F EA A8 E5 CA A6 73 4A CE BC 5C 72 65 63|",within 16,distance 240; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2884; reference:url,www.adobe.com/support/security/advisories/apsa10-03.html; classtype:attempted-user; sid:17257; rev:8; service:http; service:imap; service:pop3; )
01031 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript intrf_count integer overflow attempt"; flow:to_client,established; file_data; content:"|01 01 02 09 03 80 80 80 80 01 01 02 01 01 04 01 00 03 00 01 01 09|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,35907; reference:cve,2009-1869; classtype:attempted-user; sid:15993; rev:10; service:http; service:imap; service:pop3; )
01032 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player invalid object reference code execution attempt"; flow:to_client,established; file_data; content:"|43 57 53 06 40 F3 14 00 78 DA 44 7C 05 58 54 DB F7 F6 1A 66 80 A1 87 54 86 EE EE A1 86 9A A1 41 10 10 A4 2C 44 3A 2C 10 0B 61 08 15 41 10 15 95 52 4A 01 11 15 05 F4 9A A0 A2 5E 95 10 30 08 03|",depth 64; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33880; reference:cve,2009-0520; classtype:attempted-user; sid:15478; rev:5; service:http; service:imap; service:pop3; )
01034 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash use-after-free attack attempt"; flow:to_client,established; file_data; content:"|53 68 68 68 20 64 6F 6E 27 74 20 74 65 6C 6C 20 61 6E 79 20 6F 6E 65 20 74 68 69 73 20 69 73 20 61 20 73 65 63 72 65 74 20 6B 65 79 21 16 54 68 65 20 74 72 75 74 68 20 69 73 20 6F 75 74 20 74 68 65 72 65 08 43 4F 4D 50 4C 45 54 45 0B 72 65 6D 6F 76 65 43 68 69 6C 64 0A 55 52 4C 52 65 71 75 65 73 74 30 68 74 74 70|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1297; classtype:attempted-user; sid:16634; rev:9; service:http; service:imap; service:pop3; )
01035 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Speex-encoded audio buffer underflow attempt"; flow:to_client,established; file_data; content:"|A9 FC EB C4 44 EA 39 DC C2 E6 7A 38 85 81 71 46 3B 43 B6 E8 69 30 D5 77 47 47 A1 DE 99 B6 32 A2 7B D4 DA AD 90 AF 76 EB F4 B0 8D 3F F2 66 C5 06 3B 18 ED 9C 13 2E 42 BB 18 50 C2 ED D2 AE 33 B2|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2130; reference:url,www.adobe.com/support/security/bulletins/apsb11-26.html; classtype:attempted-user; sid:20181; rev:3; service:http; service:imap; service:pop3; )
01036 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript 3 buffer overflow attempt"; flow:to_client,established; file_data; content:"|E9 3F 00 00 00 00 00 00 D0 3F 33 33 33 33 33 33 E3 3F 7B 14 AE 47 E1 7A A4 3F 66 66 66 66 66 66 F6 3F 9A 99 99 99 99 99 B9 3F EB 09 00 07 42 6F 6F 6C 65 61 6E 04 76 6F 69 64 03 69 6E 74 0B 66|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2415; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:19683; rev:9; service:http; service:imap; service:pop3; )
01037 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript 3 integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|02 61 30 02 61 31 02 61 32 02 61 33 02 61 34 02 61 35 02 61|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,49081; reference:cve,2011-2416; reference:url,www.adobe.com/support/security/bulletins/apsb11-21.html; classtype:attempted-user; sid:19682; rev:10; service:http; service:imap; service:pop3; )
01038 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ASnative command execution attempet"; flow:to_client,established; file_data; content:"|00|airappinstaller|00|ASnative|00|"; pcre:"/\x00[\x3b\x7c\x26\x60][^\x00]+\x00airappinstaller\x00ASnative\x00/smi"; content:"|99 08|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32896; reference:cve,2008-5499; classtype:attempted-user; sid:15869; rev:6; service:http; )
01039 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Video invalid tag type attempt"; flow:to_client,established; flowbits:isset,file.flv; file_data; content:"FLV|01|",depth 4; content:"|17|",within 1,distance 9; metadata:policy balanced-ips alert,policy security-ips alert,service http,service imap,service pop3; reference:cve,2012-0773; classtype:attempted-user; sid:21655; rev:4; service:http; service:imap; service:pop3; )
01040 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player SWF ActionScript exploit attempt"; flow:to_client,established; file_data; content:"|04 01 08 32 4E 96 04 00 04 01 08 2D 4E 4E 96 09 00 03 49 12 9D 02 00 09 00 96 04 00 04 01 08 08 4E 3E 96 04 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0209; reference:url,www.adobe.com/support/security/bulletins/apsb10-16.html; classtype:attempted-user; sid:17142; rev:8; service:http; service:imap; service:pop3; )
01041 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player undefined tag exploit attempt"; flow:to_client,established; file_data; content:"|46 57 53 0A 9A 04 00 00 78 00 03 E8 00 00 0F A0 00 00 E8 01 00 44 11 08 00 00 00 3F 12 69 04 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2214; classtype:attempted-user; sid:18805; rev:6; service:http; service:imap; service:pop3; )
01042 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash invalid data precision arbitrary code execution exploit attempt"; flow:to_client,established; file_data; content:"|0C 0C FF C0 00 11 88 00 96 00 71 03 01 11 00 02|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2216; reference:url,www.adobe.com/support/security/bulletins/apsb10-16.html; classtype:attempted-user; sid:17141; rev:7; service:http; service:imap; service:pop3; )
01044 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash OpenType font memory corruption attempt"; flow:to_client,established; file_data; content:"FWS"; content:"</rdf:RDF>",distance 0; content:"kern",within 500; byte_extract:4,4,kern_offset,relative; content:"OTTO"; byte_test:4,>=,0x10000000,kern_offset,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,55009; reference:cve,2012-1535; reference:url,www.adobe.com/support/security/bulletins/apsb12-18.html; classtype:attempted-user; sid:23853; rev:3; service:http; service:imap; service:pop3; )
01048 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player newfunction memory corruption attempt"; flow:to_client,established; file_data; content:"|93 1A|FirstCircleBBBBBBBBBBBBBBBBBBBBBBB|06 A6 17 30|BBBBBBBBBBBBBBBBBBBB|90 90 90 90|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:23264; rev:3; service:http; service:imap; service:pop3; )
01049 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH embedded Shockwave dropper download"; flow:to_client,established; file_data; content:"FWS|09 47 CB 00 00 48 01 40 00 5A 00 00 19 01 00 44 11 08 00 00 00 BF 14 1C CB 00 00 00 00 00 00 00 10 00 2E 00 06 00 80 80 40 94 A8 D0 A0 01 80 80 04 10 00 02 00 00 00 12 12 12 E2 41 30 F0 09|1414141414141414"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-05.html; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:18543; rev:10; service:http; service:imap; service:pop3; )
01051 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player object confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1E 3E 95 0F 29 8B 36 33 45 A4 1C F6 43 97 12 71 58 FF 44|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:24142; rev:1; service:http; service:imap; service:pop3; )
01052 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player Matrix3D integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|A3 9D 7B C7 44 71 75 DD F0 26 8A 1F 78 66 64 50 4F 16 95 4A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; reference:url,www.securityfocus.com/archive/1/524143/30/0/threaded; classtype:attempted-user; sid:24244; rev:1; service:http; service:imap; service:pop3; )
01054 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash null reference JIT compilation attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|ED B6 DB 4D 85 68 66 57 89 24 CB 66 92 1D 34 FC 5C A0 CF 32 2A A2 54 46 3C B1 B5 4F 46 7C 26 0F|"; isdataat:!624; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4165; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:denial-of-service; sid:24362; rev:1; service:http; service:imap; service:pop3; )
01056 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash malformed record stack exhaustion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|3F 08 E1 00 00 00 01 00 45 F2 25 F2 20 01 12 A9 12 44 80 02 00 FF FF FF FF FF FF FF FF 00 00 10 15 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4163; reference:url,www.adobe.com/support/security/bulletins/apsb12-19.html; classtype:denial-of-service; sid:24366; rev:1; service:http; service:imap; service:pop3; )
01058 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1D 1D 1D 1D 1D 1D 1D 6D|"; content:"|00 00 01 02|",within 4,distance 2; byte_extract:1,0,local_count,relative; content:"|D0 49 00|",within 3,distance 3; content:"|92|",distance 0; byte_test:1,!&,128,0,relative; byte_test:1,>,local_count,0,relative; content:"|47 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24428; rev:2; service:http; service:imap; service:pop3; )
01060 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1D 1D 1D 1D 1D 1D 1D 6D|"; content:"|00 00 01 02|",within 4,distance 2; byte_extract:1,0,local_count,relative; content:"|D0 49 00|",within 3,distance 3; content:"|94|",distance 0; byte_test:1,!&,128,0,relative; byte_test:1,>,local_count,0,relative; content:"|47 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24430; rev:2; service:http; service:imap; service:pop3; )
01062 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe OpenAction crafted URI action thru Firefox attempt"; flow:to_client,established; file_data; content:"|2F|OpenAction|20 3C 3C|"; pcre:"/[^\x3e]{0,300}\x2fURI \x28data/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0587; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18447; rev:8; service:http; service:imap; service:pop3; )
01063 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player AS2 privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|B9 6D 3D DC 78 02 AD 3D 79 F8 B8 79 79 00 09 E9 40 4F 6B 5B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5278; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24810; rev:1; service:http; service:imap; service:pop3; )
01065 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player AS2 privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|F5 69 1A 7D 8A 46 9F 5C 64 48 32 9B 52 CC DC 4E 35 EB F5 5F|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5278; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24812; rev:1; service:http; service:imap; service:pop3; )
01067 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 92 90 4E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24874; rev:1; service:http; service:imap; service:pop3; )
01069 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 94 90 4E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24876; rev:1; service:http; service:imap; service:pop3; )
01071 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Action InitArray stack overflow attempt"; flow:to_client, established; flowbits:isset, file.swf; file_data; content:"|96 05 00 07|"; byte_test:4,>,0x040000,0,relative,little; content:"|42|",within 1,distance 4; metadata:policy balanced-ips drop,service http,service imap,service pop3; reference:cve,2012-5269; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24890; rev:1; service:http; service:imap; service:pop3; )
01073 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player ActionScript bytecode symbolclass tag type confusion attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|FF 01 2B 00 00 00 6C 00 01 00 8A 06 06 01 00 67 00 1B 36 1F C9 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5270; reference:url,adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24895; rev:1; service:http; service:imap; service:pop3; )
01075 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player actionscript bytecode trait type null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"FWS",depth 3; content:"|03 00 00 00 00 00 00 00 00 00 00 00 00 00 01 02 03 09 06 00 01 01 01 03|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5266; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24980; rev:1; service:http; service:imap; service:pop3; )
01077 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player actionscript bytecode trait type null pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|1F 91 C2 5F AC B1 71 4A 7E 99 DA 93 EC A2 6D 53 DF 3C 39 97 4D 2C 1B BF|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5266; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24982; rev:1; service:http; service:imap; service:pop3; )
01079 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player index overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|31 33 31 59 CE FD 53 4A 77 B7 30 2C 90 35 63 A4 31 14 C9 76 C9 28 4A 21 55 EC 09 3A 26 62 E5 86|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5676; reference:url,www.adobe.com/support/security/bulletins/apsb12-XX.html; classtype:attempted-user; sid:24985; rev:2; service:http; service:imap; service:pop3; )
01081 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player specially invalid traits structure attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|09 0A 11 D0 30 5E A9 03 D1 68 A9 03 5D 8F 03 4F 8F 03 00 47 00 00 91 03 03 01 09 0A 1D D0 30 5E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5678; classtype:attempted-user; sid:24989; rev:1; service:http; service:imap; service:pop3; )
01083 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player DoInitAction invalid action overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|B6 0D 00 04 02 04 03 07 02 00 00 00 04 01 08 07|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-5268; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24991; rev:1; service:http; service:imap; service:pop3; )
01086 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf|file.ole; content:"RegEx"; pcre:"/RegExp?\x23.{0,5}\x28\x3f[^\x29]{0,4}i.*?\x28\x3f\x2d[^\x29]{0,4}i.{0,50}\x7c\x7c/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:attempted-user; sid:25676; rev:3; service:http; service:imap; service:pop3; )
01087 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash malformed regular expression exploit attempt"; flow:to_client,established; file_data; content:"|81 26 B3 45 C4 3F 7F 7F FF AE FD 47 3F 59 BA FD 67 FE ED D7 5E B5 55 6F 3D C2 B7 5E F9 00 BF FD|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0634; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:attempted-user; sid:25677; rev:3; service:http; service:imap; service:pop3; )
01090 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player CFF FeatureCount integer overflow attempt"; flow:to_client,established; flowbits:isset,file.swf.cff; file_data; content:"|00 7E 00 E2|"; content:"|00 01 00 00|",within 4,distance -10; byte_jump:2,0,relative,post_offset 2; byte_jump:2,0,relative,post_offset 2; content:"|FF FF|",within 2; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0633; reference:url,www.adobe.com/support/security/bulletins/apsb13-04.html; classtype:attempted-user; sid:25681; rev:3; service:http; service:imap; service:pop3; )
01092 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player FLV crafted ADPCM stream heap overflow attempt"; flow:to_client,established; flowbits:isset,file.flv; file_data; content:"|46 4C 56 01 05 00 00 00 09 00 00 00 00 09 00 02|",depth 16; content:"|1D 25 00 00 08 42 10 84 21 08 42 10 84 21 08 42|",within 16,distance 560; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,57907; reference:cve,2013-0638; reference:url,www.adobe.com/support/security/bulletins/apsb13-05.html; classtype:attempted-user; sid:25815; rev:1; service:http; service:imap; service:pop3; )
01095 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_client,established; file_data; content:".LoadMovie"; content:"allowscriptaccess=|22|always|22|",distance 0; content:"swLiveConnect=true",distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26000; rev:1; service:http; service:imap; service:pop3; )
01097 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0D B6 3A 00 00 78 DA 95 7B 09 60 54 C7 91 68 D7 7B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26002; rev:1; service:http; service:imap; service:pop3; )
01099 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0D A3 14 00 00 78 DA 75 37 69 73 1B 57 72 AF E7 7A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26004; rev:1; service:http; service:imap; service:pop3; )
01101 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player HTML & Javascript SWF use-after-free execution attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|43 57 53 0E BC 03 00 00 78 DA 5D 52 41 6F D3 30 14 B6 93 34|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26006; rev:1; service:http; service:imap; service:pop3; )
01103 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player SWF-based shellcode download attempt"; flow:to_client,established; file_data; content:"www.mypagex.com/fileshare/questions/"; content:"explorer.exe",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58186; reference:cve,2013-0648; reference:url,www.adobe.com/support/security/bulletins/apsb13-08.html; classtype:attempted-user; sid:26008; rev:1; service:http; service:imap; service:pop3; )
01108 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe SWF malformed HTML text null dereference attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|92 D1 16 24 43 72 25 53 63 82 93 A2 C2 E1 F0 08|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-3329; reference:url,www.adobe.com/support/security/bulletins/apsb13-14.html; classtype:attempted-user; sid:26687; rev:1; service:http; service:imap; service:pop3; )
01110 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe SWF remote memory corruption attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|E8 3F 00 00 00 00 00 00 00 00 E9 04 00 04|void|19|promolenta.dat"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,60478; reference:cve,2013-3343; reference:url,www.adobe.com/support/security/bulletins/apsb13-16.html; classtype:attempted-user; sid:26982; rev:1; service:http; service:imap; service:pop3; )
01112 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|AE D7 46 41 60 D2 E4 25 52 2F 88 38 EA B9 BC D1 1B F2 95 52 B8 2C 8E C7 B4 21 A9 2F 62 26|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27182; rev:1; service:http; service:imap; service:pop3; )
01113 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|E5 8C 2E 73 DC 35 EE 09 13 9E 09 87 C3 E9 76 8E C8 1B B9 F2 84 4A 53 90 EB F5 D5 5A 60 BC|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27183; rev:1; service:http; service:imap; service:pop3; )
01114 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash Player malicious swf file download attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|CB 74 5E 0D BD 47 57 13 3F E7 55 4F 02 D4 3F D9 8E D3 C4 6E D4 07 3E 41 FD FB E1 4F 63 29|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:27184; rev:1; service:http; service:imap; service:pop3; )
01118 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe SWF heap buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|76 DB E9 F0 AD 26 55 2A C8 BD 68 4C 99 A4 8A D8 6B 7F 9D 15 22 41 05 7B 76 A3 20 2A 54 5C DB A8|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,61045; reference:cve,2013-3345; reference:url,www.adobe.com/support/security/bulletins/apsb13-17.html; classtype:attempted-user; sid:27265; rev:1; service:http; service:imap; service:pop3; )
01120 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-FLASH Adobe Flash ActionScript user-supplied PCM resampling integer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.swf; content:"|88 ED 54 2A 27 AA 96 79 2A EA 47 81 9B 4A 5A A6 46 5C 32 22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,61048; reference:cve,2013-3347; reference:url,www.adobe.com/support/security/bulletins/apsb13-17.html; classtype:attempted-user; sid:27267; rev:1; service:http; service:imap; service:pop3; )
01122 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MPEG video stream file magic detected"; flow:to_client,established; file_data; content:"|00 00 01 B3|",depth 4; flowbits:set,file.mpeg; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20450; rev:12; service:http; service:imap; service:pop3; )
01123 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MPEG sys stream file magic detected"; flow:to_client,established; file_data; content:"|00 00 01 BA|",depth 4; flowbits:set,file.mpeg; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20451; rev:12; service:http; service:imap; service:pop3; )
01124 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY RealNetworks Real Media file magic detected"; flow:to_client,established; file_data; content:".RMF",depth 4; flowbits:set,file.realplayer; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20456; rev:12; service:http; service:imap; service:pop3; )
01125 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY GIF file magic detected"; flow:to_client,established; file_data; content:"GIF8",depth 4,fast_pattern; content:"a",within 1,distance 1; flowbits:set,file.gif; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20459; rev:8; service:http; service:imap; service:pop3; )
01126 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MP3 file magic detected"; flow:to_client,established; file_data; content:"ID3",depth 3; flowbits:set,file.mp3; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20460; rev:9; service:http; service:imap; service:pop3; )
01127 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg Stream file magic detected"; flow:to_client,established; file_data; content:"OggS|00|",depth 5; flowbits:set,file.ogg; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20462; rev:12; service:http; service:imap; service:pop3; )
01128 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|03 04|"; content:!"|14 00 06 00|",within 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20463; rev:14; service:http; service:imap; service:pop3; )
01129 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK00PK|03 04|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20464; rev:13; service:http; service:imap; service:pop3; )
01130 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|01 02|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20465; rev:13; service:http; service:imap; service:pop3; )
01131 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|05 06|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20466; rev:13; service:http; service:imap; service:pop3; )
01132 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 08|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20467; rev:13; service:http; service:imap; service:pop3; )
01133 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 07|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20468; rev:13; service:http; service:imap; service:pop3; )
01134 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 06|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20469; rev:13; service:http; service:imap; service:pop3; )
01135 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY RIFX file magic detected"; flow:to_client,established; file_data; content:"RIFX",depth 4; flowbits:set,file.dir; flowbits:set,file.swf; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20471; rev:11; service:http; service:imap; service:pop3; )
01136 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY ELF file magic detected"; flow:to_client,established; file_data; content:"|7F|ELF",depth 4; flowbits:set,file.elf; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20477; rev:11; service:http; service:imap; service:pop3; )
01137 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY PNG file magic detected"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A|",depth 8; flowbits:set,file.png; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20478; rev:8; service:http; service:imap; service:pop3; )
01138 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MP3 file magic detected"; flow:to_client,established; file_data; content:"|FF FB 90|",depth 3; flowbits:set,file.mp3; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20481; rev:9; service:http; service:imap; service:pop3; )
01139 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF E0|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20483; rev:11; service:http; service:imap; service:pop3; )
01140 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF E1|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:24455; rev:1; service:http; service:imap; service:pop3; )
01141 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF EE|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:24456; rev:1; service:http; service:imap; service:pop3; )
01142 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY RTF file magic detected"; flow:to_client,established; file_data; content:"{|5C|rt"; flowbits:set,file.rtf; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20486; rev:10; service:http; service:imap; service:pop3; )
01143 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Universal Binary/Java Bytecode file magic detected"; flow:to_client,established; file_data; content:"|CA FE BA BE|",depth 4; flowbits:set,file.universalbinary; flowbits:set,file.class; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20492; rev:8; service:http; service:imap; service:pop3; )
01144 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY jarpack file magic detected"; flow:to_client,established; file_data; content:"|CA FE D0 0D|",depth 4; flowbits:set,file.class; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20493; rev:10; service:http; service:imap; service:pop3; )
01145 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY PDF file magic detected"; flow:to_client,established; file_data; content:"%PDF-",nocase; flowbits:set,file.pdf; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20494; rev:7; service:http; service:imap; service:pop3; )
01146 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY compressed Adobe Shockwave Flash file magic detected"; flow:to_client,established; file_data; content:"CWS",depth 3; byte_test:1,>=,0x06,0,relative; flowbits:set,file.cws; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20495; rev:14; service:http; service:imap; service:pop3; )
01147 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_client,established; file_data; content:"FWS",depth 3; byte_test:1,<,20,0,relative; isdataat:5,relative; content:!"|00 00 00 00|",within 4,distance 1; flowbits:set,file.swf; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20496; rev:12; service:http; service:imap; service:pop3; )
01148 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_client,established; file_data; content:"FLV|01|"; flowbits:set,file.swf; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20497; rev:9; service:http; service:imap; service:pop3; )
01149 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"moov",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20500; rev:10; service:http; service:imap; service:pop3; )
01150 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"ftyp",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20501; rev:10; service:http; service:imap; service:pop3; )
01151 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"mdat",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20502; rev:10; service:http; service:imap; service:pop3; )
01152 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"free",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20503; rev:10; service:http; service:imap; service:pop3; )
01153 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file magic detected"; flow:to_client,established; file_data; content:"XFIR",depth 4; flowbits:set,file.swf; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20507; rev:11; service:http; service:imap; service:pop3; )
01154 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY dmg file magic detected"; flow:to_client,established; file_data; content:"ER|02 00|",depth 4; flowbits:set,file.dmg; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20514; rev:9; service:http; service:imap; service:pop3; )
01156 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Excel xlw file magic detected"; flow:to_client,established; file_data; content:"|09 08 10 00 00 06 00 01|"; flowbits:set,file.xls; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,sc.openoffice.org/excelfileformat.pdf; classtype:misc-activity; sid:12283; rev:14; service:http; service:imap; service:pop3; )
01157 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Media ASF file magic detected"; flow:to_client,established; file_data; content:"|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|",depth 16; flowbits:set,file.asf; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/Advanced_Systems_Format; classtype:misc-activity; sid:12454; rev:13; service:http; service:imap; service:pop3; )
01160 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft SYmbolic LinK file magic detected"; flow:to_client,established; file_data; content:"ID|3B|P",depth 4,nocase; content:"|0A|",within 3; byte_test:1,>=,0x41,0,relative; byte_test:1,<=,0x7A,0,relative; content:"|3B|",within 4; flowbits:set,file.slk; flowbits:noalert; metadata:service http,service imap,service pop3; reference:cve,2008-0112; reference:url,en.wikipedia.org/wiki/SYmbolic_LinK_(SYLK); reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:misc-activity; sid:13585; rev:14; service:http; service:imap; service:pop3; )
01176 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft asf file magic detected"; flow:to_client,established; file_data; content:"0&|B2|u",depth 4; flowbits:set,file.asf; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/Advanced_Systems_Format; classtype:misc-activity; sid:16143; rev:17; service:http; service:imap; service:pop3; )
01181 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|",within 4,distance 16; flowbits:set,file.oless.v3; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:16474; rev:14; service:http; service:imap; service:pop3; )
01184 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Tiff little endian file magic detected"; flow:to_client,established; file_data; content:"II|2A 00|",depth 4; flowbits:set,file.tiff.little; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/Tagged_Image_File_Format; classtype:misc-activity; sid:17229; rev:13; service:http; service:imap; service:pop3; )
01185 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Tiff big endian file magic detected"; flow:to_client,established; file_data; content:"MM|00 2A|",depth 4; flowbits:set,file.tiff.big; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/Tagged_Image_File_Format; classtype:misc-activity; sid:17230; rev:17; service:http; service:imap; service:pop3; )
01187 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY OLE document file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|",depth 8; flowbits:set,file.ole; flowbits:set,file.fpx; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:17314; rev:15; service:http; service:imap; service:pop3; )
01197 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Excel file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0|",depth 4; content:"W|00|o|00|r|00|k|00|b|00|o|00|o|00|k|00|"; flowbits:set,file.xls; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:19166; rev:12; service:http; service:imap; service:pop3; )
01201 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Publisher file magic detected"; flow:to_client,established; file_data; content:"CHNKINK "; flowbits:set,file.pub; metadata:service http,service imap,service pop3; reference:cve,2006-0001; reference:url,en.wikipedia.org/wiki/Microsoft_publisher; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-054; classtype:misc-activity; sid:8478; rev:14; service:http; service:imap; service:pop3; )
01210 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY RealNetworks Realplayer REC file magic detected"; flow:to_client,established; file_data; content:".rec|00|",depth 5; flowbits:set,file.realplayer; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/Realplayer; classtype:misc-activity; sid:19128; rev:14; service:http; service:imap; service:pop3; )
01211 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY RealNetworks Realplayer .r1m file magic detected"; flow:to_client,established; file_data; content:".r1m",depth 4; flowbits:set,file.realplayer; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/Realplayer; classtype:misc-activity; sid:19129; rev:14; service:http; service:imap; service:pop3; )
01218 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Address Book file magic detected"; flow:to_client,established; file_data; content:"|9C CB CB 8D 13|u|D2 11 91|X|00 C0|OyV|A4|"; metadata:policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-2386; reference:url,en.wikipedia.org/wiki/Windows_Address_Book; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-076; classtype:misc-activity; sid:9639; rev:9; service:http; service:imap; service:pop3; )
01233 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY M3U file magic detected"; flow:to_client,established; file_data; content:"|23|EXTM3U",depth 7; flowbits:set,file.m3u; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/.m3u; classtype:misc-activity; sid:9845; rev:15; service:http; service:imap; service:pop3; )
01237 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Director Movie file magic detected"; flow:to_client,established; file_data; content:"Shockwave 3D"; content:"XFIR",depth 4; flowbits:set,file.dir; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,www.fileinfo.com/extension/dir; classtype:misc-activity; sid:17801; rev:14; service:http; service:imap; service:pop3; )
01242 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Flash Video file magic detected"; flow:to_client,established; file_data; content:"FLV|01|"; content:"|00 00 00 09|",within 4,distance 1; flowbits:set,file.swf; flowbits:set,file.flv; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/.flv; classtype:misc-activity; sid:12182; rev:14; service:http; service:imap; service:pop3; )
01243 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY PICT file magic detected"; flow:to_client,established; file_data; content:"PICT",depth 4; flowbits:set,file.pct; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:19907; rev:9; service:http; service:imap; service:pop3; )
01247 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY CDR file magic detected"; flow:to_client,established; file_data; content:"RIFF",depth 4,fast_pattern; content:"CDR",within 3,distance 4; flowbits:set,file.cdr; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/CorelDRAWCDR_file_format; classtype:misc-activity; sid:20589; rev:8; service:http; service:imap; service:pop3; )
01249 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Media Player asf/wmv/wma file magic detected"; flow:to_client,established; file_data; content:"|01 CD 87 F4 51 A9 CF 11 8E E6 00 C0 0C| Se"; content:" |DB FE 4C F6 55 CF 11 9C 0F 00 A0 C9 03 49 CB|",within 16,distance 8; flowbits:set,file.asf; flowbits:set,file.wmv; flowbits:set,file.wma; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:12972; rev:13; service:http; service:imap; service:pop3; )
01271 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY PLS file magic detected"; flow:to_client,established; file_data; content:"[playlist]",depth 11; flowbits:set,file.pls; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20924; rev:6; service:http; service:imap; service:pop3; )
01274 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY SMIL file magic detected"; flow:to_client,established; file_data; content:"<smil>",depth 6; flowbits:set,file.smil; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/.smil; classtype:misc-activity; sid:20928; rev:6; service:http; service:imap; service:pop3; )
01289 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"moof",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20950; rev:6; service:http; service:imap; service:pop3; )
01290 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"mfra",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20951; rev:6; service:http; service:imap; service:pop3; )
01291 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"skip",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20952; rev:6; service:http; service:imap; service:pop3; )
01292 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"junk",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20953; rev:6; service:http; service:imap; service:pop3; )
01293 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"wide",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20954; rev:6; service:http; service:imap; service:pop3; )
01294 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"pnot",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20955; rev:6; service:http; service:imap; service:pop3; )
01295 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"pict",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20956; rev:6; service:http; service:imap; service:pop3; )
01296 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"meta",depth 4,offset 4; content:"hdlr",distance 0; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20957; rev:7; service:http; service:imap; service:pop3; )
01297 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"meco",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20958; rev:6; service:http; service:imap; service:pop3; )
01298 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"uuid",depth 4,offset 4; flowbits:set,file.quicktime; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20959; rev:6; service:http; service:imap; service:pop3; )
01321 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY TTF file magic detected"; flow:to_client,established; file_data; content:"|00 01 00 00|"; content:"cmap",distance 0,fast_pattern; flowbits:set,file.ttf; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20991; rev:6; service:http; service:imap; service:pop3; )
01322 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY SAMI file magic detected"; flow:to_client,established; file_data; content:"|3C|SAMI"; flowbits:set,file.smi; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:20992; rev:3; service:http; service:imap; service:pop3; )
01323 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office PowerPoint file magic detected"; flow:to_client,established; file_data; content:"P|00|o|00|w|00|e|00|r|00|P|00|o|00|i|00|n|00|t|00 20 00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t"; flowbits:isset,file.ppt; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21011; rev:4; service:http; service:imap; service:pop3; )
01324 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Visio file magic detected"; flow:established,to_client; file_data; content:"Visio |28|TM|29| Drawing|0D 0A|"; flowbits:set,file.visio; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,office.microsoft.com/en-us/visio/default.aspx; classtype:policy-violation; sid:11835; rev:6; service:http; service:imap; service:pop3; )
01328 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY AVI Video file magic detected"; flow:to_client,established; file_data; content:"RIFF",depth 4; content:"AVI LIST",within 8,distance 4; flowbits:set,file.avi.video; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21059; rev:5; service:http; service:imap; service:pop3; )
01334 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Cisco Webex Player .wrf file magic detected"; flow:to_client,established; file_data; content:"|57 4F 54 46|"; flowbits:set,file.wrf; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21113; rev:6; service:http; service:imap; service:pop3; )
01335 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY New Executable binary file magic detected"; flow:to_client,established; file_data; content:"MZ",depth 2; byte_jump:4,58,relative,little; content:"NE",within 2,distance -64; metadata:service http,service imap,service pop3; reference:url,support.microsoft.com/kb/65122; classtype:misc-activity; sid:21244; rev:7; service:http; service:imap; service:pop3; )
01346 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows CHM file magic detected"; flow:to_client,established; file_data; content:"ITSF",depth 4; content:"ITSP",within 112; flowbits:set,file.chm; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,13953; reference:cve,2005-1208; reference:nessus,18482; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-026; classtype:attempted-user; sid:3820; rev:17; service:http; service:imap; service:pop3; )
01349 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY XML file magic detected"; flow:to_client,established; file_data; content:"<xml>",depth 50,nocase; flowbits:set,file.xml; flowbits:set,file.xul; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21480; rev:4; service:http; service:imap; service:pop3; )
01350 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY XML file magic detected"; flow:to_client,established; file_data; content:"<?xml",depth 50,nocase; flowbits:set,file.xml; flowbits:set,file.xul; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21498; rev:4; service:http; service:imap; service:pop3; )
01358 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY WAV file magic detected"; flow:to_client,established; file_data; content:"RIFF",depth 4; content:"WAVE",within 4,distance 4; flowbits:set,file.wav; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21620; rev:4; service:http; service:imap; service:pop3; )
01359 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY AVI file magic detected"; flow:to_client,established; file_data; content:"RIFF",depth 4; content:"AVI ",within 4,distance 4; flowbits:set,file.avi; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21621; rev:3; service:http; service:imap; service:pop3; )
01382 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY PFA file magic detected"; flow:to_client,established; file_data; content:"%!PS-AdobeFont-1.0"; flowbits:set,file.psfont; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21712; rev:1; service:http; service:imap; service:pop3; )
01397 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY ANI file magic detection"; flow:to_client,established; file_data; content:"RIFF",depth 4; content:"ACON",within 4,distance 4; flowbits:set,file.ani; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21727; rev:1; service:http; service:imap; service:pop3; )
01421 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY HPJ file magic detected"; flow:to_client,established; file_data; content:"[OPTIONS]"; flowbits:set,file.hpj; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21751; rev:1; service:http; service:imap; service:pop3; )
01446 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY OpenType Font file magic detection"; flow:to_client,established; file_data; content:"OTTO",depth 4; flowbits:set,file.otf; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:21999; rev:4; service:http; service:imap; service:pop3; )
01447 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Visual Basic v6.0 - additional file magic detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|FF 25|"; content:"|68|",within 1,distance 4; content:"|E8|",within 1,distance 4; content:"|FF FF FF|",within 3,distance 1; content:"|30|",within 1,distance 6; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:22002; rev:2; service:http; service:imap; service:pop3; )
01451 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Visual Studio VAP file magic detected"; flow:to_client,established; file_data; content:"Microsoft Developer Studio Project File - Analyzer Project"; flowbits:set,file.vap; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:22028; rev:2; service:http; service:imap; service:pop3; )
01456 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected"; flow:to_client,established; file_data; content:"|00 09 00 00 03|",depth 6; flowbits:set,file.wmf; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:22999; rev:2; service:http; service:imap; service:pop3; )
01457 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY download of RMF file - potentially malicious"; flow:established,to_client; file_data; content:"IREZ",depth 4; content:"MThd",distance 0; flowbits:set,file.rmf; metadata:policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,39077; reference:cve,2010-0842; classtype:misc-activity; sid:17106; rev:7; service:http; service:imap; service:pop3; )
01482 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY TAR file download request"; flow:to_client,established; file_data; content:"ustar",depth 5,offset 257; flowbits:set,file.tar; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:23322; rev:2; service:http; service:imap; service:pop3; )
01572 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY X PixMap file magic detected"; flow:to_client,established; file_data; content:"/* XPM */",depth 9; flowbits:set,file.xpm; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:24190; rev:2; service:http; service:imap; service:pop3; )
01573 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MP4 file magic detected"; flow:to_client,established; file_data; content:"ftypmp4",depth 7,offset 4; flowbits:set,file.mp4; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:24213; rev:2; service:http; service:imap; service:pop3; )
01574 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY SMIL file magic detected"; flow:to_client,established; file_data; content:"SMILtext",depth 8; flowbits:set,file.smil; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/.smil; classtype:misc-activity; sid:24218; rev:1; service:http; service:imap; service:pop3; )
01581 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Embedded Open Type Font file magic detected"; flow:to_client,established; file_data; content:"|90 01 00 00 00 00 4C 50|",depth 8,offset 28; content:"|00|",within 1,distance 49; flowbits:set,file.eot; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/Embedded_OpenType; classtype:misc-activity; sid:24483; rev:2; service:http; service:imap; service:pop3; )
01583 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY rmf file download request"; flow:established,to_client; file_data; content:"IREZ",depth 4; flowbits:set,file.rmf; flowbits:noalert; metadata:service http,service imap,service pop3; reference:bugtraq,39077; reference:cve,2010-0842; classtype:attempted-user; sid:24509; rev:3; service:http; service:imap; service:pop3; )
01585 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY MP4 file magic detected"; flow:to_client,established; file_data; content:"ftypiso",depth 7,offset 4; content:"mp4",within 3,distance 5; flowbits:set,file.mp4; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:24816; rev:1; service:http; service:imap; service:pop3; )
01587 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY M4V file magic detected"; flow:to_client,established; file_data; content:"ftypM4V",depth 7,offset 4,nocase; flowbits:set,file.m4v; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:24818; rev:1; service:http; service:imap; service:pop3; )
01601 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_client,established; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; flowbits:set,file.exe; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:25515; rev:1; service:http; service:imap; service:pop3; )
01602 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected"; flow:to_client,established; flowbits:isnotset,file.msi; flowbits:isset,file.ole|file.oless.v3; flowbits:isset,file.exe; file_data; content:"This program cannot be run in DOS"; flowbits:set,file.msi; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:25516; rev:1; service:http; service:imap; service:pop3; )
01624 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY ZIP file download detected"; flow:to_client,established; file_data; content:"PK|03 04 14 00 06 00|",depth 8; flowbits:set,file.zip; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:26057; rev:1; service:http; service:imap; service:pop3; )
01629 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|00 10|JFIF"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:26251; rev:1; service:http; service:imap; service:pop3; )
01630 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Flash Player embedded compact font detected"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"CFF"; content:"DEF",within 3,distance 14; content:"GSUB",within 4,distance 12; flowbits:set,file.swf.cff; flowbits:noalert; metadata:service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/PostScript_fonts#Compact_Font_Format; classtype:misc-activity; sid:25680; rev:2; service:http; service:imap; service:pop3; )
01650 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Python bytecode file magic detected"; flow:to_client,established; file_data; content:"|03 F3 0D 0A|",depth 4; flowbits:set,file.pyc; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:27542; rev:1; service:http; service:imap; service:pop3; )
01652 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Oracle Java Web Start Splashscreen GIF decoding buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|46 38 39 61 FF FF FF FF B3 FF 00 FF FF FF CD CD CD A6 A6 A3 0E 0D 0D 05 05 83 ED EC EC AB AB B4|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-2086; classtype:attempted-user; sid:17395; rev:8; service:http; service:imap; service:pop3; )
01653 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Sun Microsystems Java gif handling memory corruption attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|F9 04 01 00 00 10 00|,|00 00 00 00 00 00 90 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,22085; reference:cve,2007-0243; classtype:attempted-user; sid:16000; rev:6; service:http; service:imap; service:pop3; )
01654 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft Windows GDI+ interlaced PNG file parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; byte_test:4,>,59000,0,relative,big; byte_test:4,>,32000,4,relative,big; byte_test:1,>,7,8,relative; content:"|06|",within 1,distance 9; content:"|01|",within 1,distance 2; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3126; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16186; rev:9; service:http; service:imap; service:pop3; )
01655 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft Multiple Products malformed PNG detected tEXt overflow attempt"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A|",fast_pattern; content:"tEXt",distance 0; byte_test:4,>,10000,-8,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,18385; reference:cve,2006-0025; reference:cve,2009-2501; reference:cve,2012-5470; reference:cve,2013-1331; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-024; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-062; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-051; classtype:attempted-user; sid:6700; rev:18; service:http; service:imap; service:pop3; )
01656 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Apple QuickTime PictureViewer buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|4A 46 49 46|"; content:"|EB 06 44 00|",distance 0; content:"|42 42 42 42|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,16202; reference:cve,2005-2340; classtype:attempted-user; sid:18600; rev:7; service:http; service:imap; service:pop3; )
01657 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Apple QuickTime PictureViewer buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|4A 46 49 46|"; content:"|B8 EC 12 00|",within 4,distance 269; content:"|42 42 42 42|",within 4,distance 37; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,16202; reference:cve,2005-2340; classtype:attempted-user; sid:18599; rev:7; service:http; service:imap; service:pop3; )
01658 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Adobe tiff oversized image length attempt"; flow:to_client,established; flowbits:isset,file.tiff.little; file_data; content:"|14 01 00 00 01 01 04 00 01 00 00 00 01 01 01 01 02 01 03 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2995; classtype:attempted-user; sid:16321; rev:7; service:http; service:imap; service:pop3; )
01659 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|",depth 8,offset 278; content:"|02 01 03 00 04 00 00 00 16 01 00 00|"; content:"|06 01 03 00 01 00 00 00 05 00 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:21160; rev:4; service:http; service:imap; service:pop3; )
01660 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft Windows GDI+ TIFF file parsing heap overflow attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|",depth 8,offset 266; content:"|02 01 03 00 04 00 00 00 0A 01 00 00|"; content:"|06 01 03 00 01 00 00 00 05 00 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2502; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16184; rev:11; service:http; service:imap; service:pop3; )
01663 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Adobe Photoshop TIFF malicious SGILOG-compressed data attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|61 64 63 62 61 64 63 62 61 64 63 62 61 64 63 62 61 64 63 62 61|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.protekresearchlab.com/index.php?option=com_content&view=article&id=40&Itemid=40; classtype:attempted-user; sid:21948; rev:2; service:http; service:imap; service:pop3; )
01665 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Apple QuickTime uncompressed PICT stack overflow attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|00 00 00 00 00 00 00 00 00 00|"; content:"|00 11 02 FF|",distance 0,fast_pattern; content:"|82 01|",distance 0; byte_test:4,<,50,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,26344; reference:cve,2007-4672; classtype:attempted-user; sid:12757; rev:6; service:http; service:imap; service:pop3; )
01666 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.wmf; file_data; content:"|01 00 09 00|"; pcre:"/(\x40\x09.{19}|\x41\x0b.{23})[\xf0-\xff].{8}\x01\x00[\x00\x01\x02\x04\x08\x10\x18\x20]\x00/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-2249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-071; classtype:attempted-admin; sid:15105; rev:13; service:http; service:imap; service:pop3; )
01667 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft Windows Flashpix graphics filter fpx32.flt remote code execution attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|FE FF 00 00|"; content:"|00 64 61 56 54 C1 CE 11 85 53 00 AA 00 A1 F9 5B 01 00 00 00 00 64 61 56 54 C1 CE 11 85 53 00 AA 00 A1 F9 5B|",within 36,distance 4; byte_jump:4,0,relative,little; byte_test:4,>,0,-44,relative; content:"|00 00 00 00|",within 4,distance -40; byte_jump:4,0,relative,little; byte_test:4,>,0x100,-8,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3951; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:18237; rev:8; service:http; service:imap; service:pop3; )
01668 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Apple QuickTime FlashPix Movie file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|00 01 00 54 C1 CE 11 85 53 00 AA 00 A1 F9 5B 01 00 00 00|"; byte_test:4,>,0x0FFFFFFF,12,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,39020; reference:cve,2010-0519; classtype:attempted-user; sid:18510; rev:7; service:http; service:imap; service:pop3; )
01669 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft FlashPix tile length overflow attempt"; flow:to_client,established; flowbits:isset,file.fpx; file_data; content:"|FF 5F 00 00 02 00 00 00 00 11 01 FE 56 0B 00 00 3C 0A 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3952; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:18229; rev:11; service:http; service:imap; service:pop3; )
01673 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iCCP",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22106; rev:5; service:http; service:imap; service:pop3; )
01674 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iTXt",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; content:"|00|",within 79,distance 12; content:"|01|",within 1; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22105; rev:6; service:http; service:imap; service:pop3; )
01675 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"zTXt",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x100000,-8,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:22104; rev:5; service:http; service:imap; service:pop3; )
01676 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE libpng chunk decompression integer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"iTXt",distance 0,fast_pattern; isdataat:512,relative; byte_test:4,>,0x7ffffff,-8,relative; content:"|00|",within 79,distance 12; content:"|00|",within 1; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52453; reference:cve,2011-3026; reference:cve,2011-3045; classtype:attempted-admin; sid:25065; rev:2; service:http; service:imap; service:pop3; )
01678 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_client; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF ED|",depth 4; content:"8BIM",within 4,distance 16; content:"|04 0C|",within 2; content:"|FF D8 FF ED|",distance 0; content:"8BIM",within 4,distance 16; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:17390; rev:4; service:http; service:imap; service:pop3; )
01681 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE ClamAV Antivirus Function Denial of Service attempt"; flow:established,to_client; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF ED|",depth 4; content:"8BIM",within 4,distance 16; content:"|04 09|",within 2; content:"|FF D8 FF ED|",distance 0; content:"8BIM",within 4,distance 16; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,32555; reference:cve,2008-5314; classtype:attempted-dos; sid:26374; rev:3; service:http; service:imap; service:pop3; )
01685 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java font rendering remote code execution attempt"; flow:to_client,established; file_data; content:"single.class|6D 52 5D 53 D3 50 10 3D B7 4D|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1491; reference:url,blog.accuvantlabs.com/blog/jdrake/pwn2own-2013-java-7-se-memory-corruption; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26716; rev:2; service:http; service:imap; service:pop3; )
01686 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java runtime JMX findclass sandbox breach attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|5B C7 59 FF 46 2B ED 9B 95 65 7B 3D EB B5 AD D8|"; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,57563; reference:cve,2013-0431; classtype:attempted-admin; sid:26588; rev:3; service:http; service:imap; service:pop3; )
01687 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java runtime JMX findclass sandbox breach attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"com/sun/jmx/mbeanserver/Introspector"; content:"findClass"; content:"com.sun.jmx.mbeanserver.MBeanInstantiator"; content:"declaredMethods"; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,57563; reference:cve,2013-0431; classtype:attempted-admin; sid:26587; rev:3; service:http; service:imap; service:pop3; )
01690 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; file_data; content:"|70 01 00 10|findStaticSetter|01 00 55 28|"; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26550; rev:2; service:http; service:imap; service:pop3; )
01691 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Union1.class"; content:"Union2.class"; content:"SystemClass.class"; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26549; rev:2; service:http; service:imap; service:pop3; )
01693 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|0A C6 07 80 C3 B8 8D 0D A9 AB 8F B8 45 25 F0 1D|"; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26499; rev:2; service:http; service:imap; service:pop3; )
01695 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; file_data; content:"disableSecurityManager"; content:"java/lang/reflect/Field",nocase; content:"getSecurityManager",nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26486; rev:2; service:http; service:imap; service:pop3; )
01697 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE reflection types public final field overwrite attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|DD FE 53 3A 55 5B 3E 97 24 FD 19 31 34 97 2F B2 3E BD 4E D7 AD 50 CC 1C F2 C4 A3 43 E0 2C 6F 29|"; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,59162; reference:cve,2013-2423; reference:url,www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html; classtype:attempted-user; sid:26484; rev:3; service:http; service:imap; service:pop3; )
01698 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java known malicious jar file download - specific structure"; flow:established,to_client; flowbits:isset,file.jar; file_data; content:"Foo.class"; content:"trash/A.class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:26439; rev:2; service:http; service:imap; service:pop3; )
01703 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java 2D ImagingLib ConvolveOp integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/image/Kernel|3B 29|V|01 00 06|filter|01 00|"; content:"|00 1A 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58296; reference:cve,2013-0809; reference:url,osvdb.org/show/osvdb/90837; classtype:attempted-user; sid:26197; rev:3; service:http; service:imap; service:pop3; )
01704 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java 2D ImagingLib LookupOp integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/RenderingHints|3B 29|V|01 00 06|filter|01 00|"; content:"|00 18 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58296; reference:cve,2013-0809; reference:url,osvdb.org/show/osvdb/90837; classtype:attempted-user; sid:26196; rev:3; service:http; service:imap; service:pop3; )
01705 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java 2D ImagingLib AffineTransformOp integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/awt/geom/AffineTransform|3B|I|29|V|01 00 06|filter|01 00|"; content:"|00 18 03|"; byte_test:4,>=,0x100000,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,58296; reference:cve,2013-0809; reference:url,osvdb.org/show/osvdb/90837; classtype:attempted-user; sid:26195; rev:3; service:http; service:imap; service:pop3; )
01707 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Gmbal package sandbox breach attempt"; flow:to_client,established; file_data; content:"GenericConstructor",nocase; content:"sun.invoke.anon",nocase; content:"ManagedObjectManagerFactory"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,osvdb.org/show/osvdb/76500; reference:url,osvdb.org/show/osvdb/86363; classtype:attempted-user; sid:26185; rev:3; service:http; service:imap; service:pop3; )
01711 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JMX class arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; content:"JmxMBeanServerBuilder"; content:"invokeWithArguments"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25831; rev:2; service:http; service:imap; service:pop3; )
01712 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java malicious class download attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"exploit",nocase; content:".classPK",within 20,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,53960; reference:bugtraq,57246; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; classtype:attempted-user; sid:25830; rev:3; service:http; service:imap; service:pop3; )
01713 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java obfuscated jar file download attempt"; flow:established,to_client; flowbits:isset,file.jar; file_data; content:"Obfuscation by Allatori Obfuscator"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:25562; rev:2; service:http; service:imap; service:pop3; )
01714 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JMX class arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"B.classPK"; content:"PK",distance -800; pcre:"/^\x01\x02.{0,50}[a-zA-Z]{10}\x2fPK.{0,50}[a-zA-Z]{10}\x2f[a-zA-Z]{7}\.classPK/sR"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,57246; reference:cve,2013-0422; reference:cve,2013-0431; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25472; rev:4; service:http; service:imap; service:pop3; )
01715 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"exploit/",nocase; content:".class",within 20,nocase; pcre:"/exploit\/(Exploit(App)?|Loader)\.class/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,53960; reference:cve,2012-1723; reference:cve,2012-4681; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:25123; rev:3; service:http; service:imap; service:pop3; )
01716 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"poc/",nocase; content:".class",within 20,nocase; pcre:"/poc\/(Exploit|myClassLoader|pocMain|runCmd)\.class/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,53960; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:25122; rev:2; service:http; service:imap; service:pop3; )
01717 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"msf/x/PayloadX$StreamConnector.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,53960; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:25121; rev:2; service:http; service:imap; service:pop3; )
01720 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime true type font idef opcode heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.jar|file.class|file.ttf; file_data; content:"|00 01 00 00|",depth 4; content:"|89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D 89 2D|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0499; reference:url,osvdb.org/show/osvdb/79226; classtype:attempted-user; sid:24701; rev:4; service:http; service:imap; service:pop3; )
01721 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java XGetSamplePtrFromSnd memory corruption attempt"; flow:to_client,established; flowbits:isset,file.rmf; file_data; content:"|1B 37 D6 E1 89 5F AB 9C 2E 1B 0D 49 A0 7B 89 8E C1 DE DE 86 17 22 12 1C 6F CC F1 CB AD EF 90 18|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,46394; reference:cve,2010-4462; classtype:attempted-user; sid:24510; rev:2; service:http; service:imap; service:pop3; )
01722 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime AWT setDiffICM stack buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 0B 28|II[B[B[B|29|V|01 00 0A|setDiffICM|01 00|S|28|II"; content:"|0A|,|10 0A 11 01 90 BB 00 17|Y|10 10 08 08 BC|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36881; reference:cve,2009-3869; classtype:attempted-user; sid:16288; rev:6; service:http; )
01724 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Web Start JNLP attribute buffer overflow attempt"; flow:to_client,established; file_data; content:"<j2se",nocase; pcre:"/\x3cj2se[^\x3e]*(initial|max)-heap-size\s*\x3d\s*(\x22|\x27)[^\x22\x27]{50}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30148; reference:cve,2008-3111; classtype:attempted-user; sid:13950; rev:9; service:http; )
01725 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java browser plugin docbase overflow attempt"; flow:to_client,established; file_data; content:"launchjnlp",fast_pattern,nocase; content:"docbase",within 100,nocase; isdataat:80,relative; pcre:"/^([\x22\x27]\s*value)?\s*=\s*\x22[^\x22]{70}/Rsmi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,44023; reference:cve,2010-3552; reference:url,osvdb.org/show/osvdb/68873; classtype:attempted-user; sid:18244; rev:7; service:http; )
01726 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime AWT setDiffICM stack buffer overflow attempt"; flow:to_client,established; file_data; content:"AppletX"; pcre:"/\x3C\s*applet[^\x3E\n$]*code\s*=\s*[\x27\x22]AppletX[\x22\x27][^\x3E\n$]*archive\s*=\s*[\x22\x27][^\s\x3E\n$]{32}\x2Ejar[\x22\x27]/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36881; reference:cve,2009-3869; classtype:attempted-user; sid:19926; rev:5; service:http; )
01728 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java browser plugin docbase overflow attempt"; flow:to_client,established; file_data; content:"launchjnlp",fast_pattern,nocase; content:"docbase",within 100,nocase; isdataat:80,relative; pcre:"/^([\x22\x27]\s*value)?\s*=\s*\x27[^\x27]{70}/Rsmi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,44023; reference:cve,2010-3552; reference:url,osvdb.org/show/osvdb/68873; classtype:attempted-user; sid:20444; rev:3; service:http; )
01729 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle JavaScript heap exploitation library usage attempt"; flow:to_client,established; file_data; content:"heapLib.ie.prototype.freeOleaut32"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0779; reference:cve,2012-4969; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:attempted-user; sid:23614; rev:6; service:http; service:imap; service:pop3; )
01730 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|51 DB 6A 4F B5 16 EF 52 DB D4 AA 15 43 BB 89 C6 AB D5 06 B5 97 D6 AA D5 D6 A3 F5 D6 DE AD F5 96|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,osvdb.org/show/osvdb/86363; classtype:attempted-admin; sid:24026; rev:8; service:http; service:imap; service:pop3; )
01731 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"AccessControlContext"; pcre:"/AccessControlContext\s*?(?P<var>\w*)\s*?=\s*?new\s*?AccessControlContext.*?SetField\x28Statement\.class,\s*?(?P<quotes1>\x22|\x27)acc(?P=quotes1),\s*?localStatement,\s*?(?P=var)/smi"; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24028; rev:6; service:http; service:imap; service:pop3; )
01732 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Trigger.class"; pcre:"/(DisableSandboxAndDrop|ConfusedClass|FieldAccessVerifierExpl)\.class/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:24201; rev:3; service:http; service:imap; service:pop3; )
01735 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|65 38 5C 78 65 61 5C 78 39 39 5C 78 31 39 5C 74 5C 78 61 35 33 5C 78 66 64 5B 5C 78 64 39 5C 78|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24125; rev:2; service:http; service:imap; service:pop3; )
01737 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|71 CE 4E 75 4D BD 4B 75 9C 44 B4 63 27 77 A7 84 92 2D DF 59 4E 73 E2 F4 DE AB D3 BB D3 BB F2 17|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24084; rev:2; service:http; service:imap; service:pop3; )
01738 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime Environment JAR File Processing Stack Buffer Overflow"; flow:to_client,established; file_data; content:"|1D 79 05 13 28 88 55 51 C2 A4 84 29 05 12 0C 19|"; content:"|F1 2B C6 40 A1 3D C6 60 81 A8 5D 28 34 30 44 06|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,32608; reference:cve,2008-5354; classtype:attempted-user; sid:17563; rev:6; service:http; service:imap; service:pop3; )
01740 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime Environment Type1 Font parsing integer overflow attempt"; flow:to_client; flowbits:isset,file.psfont; file_data; content:"|CF F9 2A 69 CE 32 21 93 B1 0D 9E 89 77 CD DD 58 3A C0 0C 33 A1 9F A4 4C E9 D0 66 FB CD 2D F1 B8 3E F8 FF 09 7D 7E 94 CA 6C 78 5C 7E FF 42 D1 B8|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,34240; reference:cve,2009-1099; classtype:attempted-user; sid:17623; rev:9; service:http; service:imap; service:pop3; )
01741 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"atomic"; content:"AtomicReferenceArray",within 20,distance 1; metadata:policy balanced-ips alert,policy security-ips alert,service http,service imap,service pop3; reference:bugtraq,52161; reference:cve,2012-0507; classtype:attempted-user; sid:21666; rev:3; service:http; service:imap; service:pop3; )
01742 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"|35 37 32 37 32 36 35 36 45 37 34 32 45 36 31 37 34 36 46 36 44 36 39 36|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52161; reference:cve,2012-0507; classtype:attempted-user; sid:21665; rev:3; service:http; service:imap; service:pop3; )
01743 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"|33 36 35 37 30 37 34 36 39 36 46 01 00 2C 36 45 30 31 30 30 30 36 36 31|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52161; reference:cve,2012-0507; classtype:attempted-user; sid:21664; rev:3; service:http; service:imap; service:pop3; )
01745 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|6B 78 9E B5 D6 F6 FF F1 FF FC 6F FF FB 97 2F 5F EC 5F FE EF 83 2F 42 C1 97 E3 6E 8B FF 67 FD F3|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24057; rev:3; service:http; service:imap; service:pop3; )
01747 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java privileged protection domain exploitation attempt"; flow:to_client,established; file_data; content:"|D3 2D 69 D2 25 D3 76 9A A6 4D 9B A6 49 DA A4 CD D2 C9 D2 E9 B4 4D 9C 73 05 78 C3 6F DE E4 AF 9A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4681; classtype:attempted-admin; sid:24055; rev:3; service:http; service:imap; service:pop3; )
01748 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime Environment Type1 Font parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|1F 8B 08 08 D4 73 61 49 00 03 65 2E 70 61 63 6B 00 ED CE 3B 4B 03 41 10 00 E0 D9 7B C7 3B 15 63 63 2D 16 8A 8F D3 68 17 11 22 E4 34 21 31 82 31|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,34240; reference:cve,2009-1099; classtype:attempted-user; sid:17624; rev:7; service:http; service:imap; service:pop3; )
01749 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|B1 00 02 00 06 00 20 00 23 00 48 00 04 00 3E 00 45 00 48 00 00 00 09 00 16 00 4A 00 01 00 0B 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23277; rev:3; service:http; service:imap; service:pop3; )
01750 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|07 02 36 0B 43 07 02 39 0B 43 07 02 3C 0B 43 07 02 3F 0B 43 07 02 42 0B 43 07 02 45 0B 43 07 02|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23276; rev:3; service:http; service:imap; service:pop3; )
01751 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|00 01 00 0B 00 00 00 3D 00 06 00 02 00 00 00 1C 04 3C 2A B2 00 12 B2 00 18 1B 04 64 B2 00 18 BE|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23275; rev:3; service:http; service:imap; service:pop3; )
01752 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"|00 25 B6 00 12 B8 00 2B A7 00 08 4C 2B B6 00 31 B1 00 01 00 00 00 30 00 33 00 36 00 02 00 0A 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23274; rev:3; service:http; service:imap; service:pop3; )
01753 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; flowbits:isset,file.zip; file_data; content:".classPK",nocase; pcre:"/(sIda\/sId|urua\/uru)[abcd]\.classPK/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1723; reference:url,schierlm.users.sourceforge.net/CVE-2012-1723.html; classtype:attempted-user; sid:23273; rev:4; service:http; service:imap; service:pop3; )
01754 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Zip file directory record overflow attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"PK|05 06|"; byte_test:2,=,0,6,relative,little; byte_test:4,=,46,8,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52013; reference:cve,2012-0501; reference:url,osvdb.org/show/osvdb/79228; classtype:attempted-user; sid:23243; rev:5; service:http; service:imap; service:pop3; )
01755 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Applet remote code execution attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Exploit.class"; content:"Payload.class",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-3544; reference:cve,2012-5076; reference:url,osvdb.org/show/osvdb/76500; reference:url,osvdb.org/show/osvdb/86363; classtype:attempted-user; sid:20622; rev:10; service:http; service:imap; service:pop3; )
01757 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java attempt to write in system32"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java/io/FileInputStream",nocase; content:"|5C|system32|5C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:policy-violation; sid:21056; rev:5; service:http; service:imap; service:pop3; )
01758 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Applet disable security manager attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"DisableSecurityManagerAction.class"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,osvdb.org/show/osvdb/94346; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27076; rev:1; service:http; service:imap; service:pop3; )
01760 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Applet ProviderSkeleton sandbox bypass attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"ExploitApp.classPK"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,60635; reference:cve,2013-2460; reference:url,osvdb.org/show/osvdb/94346; reference:url,www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html; classtype:attempted-user; sid:27190; rev:1; service:http; service:imap; service:pop3; )
01762 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|55 12 FE 3F 35 F2 C0 00 00 00 0B 01 03 0A B1 54 0D 02 4A E3 17 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,23650; reference:cve,2007-2295; classtype:attempted-user; sid:17531; rev:12; service:http; service:imap; service:pop3; )
01763 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime PDAT Atom parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"|00 00 00 01 0F 00 00 00 FE B4 00 00 FE 01 1A C4 42 01 1A C4 41 1A EC EC 42 81 1A C4 43 81 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-3625; reference:url,support.apple.com/kb/HT3027; classtype:attempted-user; sid:17381; rev:8; service:http; service:imap; service:pop3; )
01764 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow QuickTime file stsc atom parsing heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stbl"; content:"stsd",within 4,distance 4; content:"ima4",distance 8; content:"stsc",distance 0; byte_jump:4,4,relative,multiplier 12,big; isdataat:7,relative; content:!"stsz",within 4,distance 4; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-1538; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-028; classtype:attempted-user; sid:15682; rev:10; service:http; service:imap; service:pop3; )
01765 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime movie record invalid version number exploit attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"moov"; content:"mvhd|FF|",within 5,distance 4; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0956; reference:url,support.apple.com/kb/HT3591; classtype:attempted-user; sid:15480; rev:7; service:http; service:imap; service:pop3; )
01766 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stts"; content:"|00 00 00 00 00 00 00 01 EE 00 00 26 00 00 04 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17612; rev:9; service:http; service:imap; service:pop3; )
01767 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"stss"; content:"|00 00 00 00 00 00 00 03 00 00 00 01 00 FF FF FF|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17611; rev:9; service:http; service:imap; service:pop3; )
01768 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA GStreamer QuickTime file parsing multiple heap overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"ctts"; content:"|00 00 00 00 00 00 00 8F 00 00 00 01 00 00 00 14 00 FF FF FF|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33405; reference:cve,2009-0398; classtype:attempted-user; sid:17610; rev:9; service:http; service:imap; service:pop3; )
01769 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime udta atom parsing heap overflow vulnerability"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"udta"; content:"|A9|nam|FF|",distance 0; byte_test:2,>,251,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,22844; reference:cve,2007-0714; classtype:attempted-user; sid:17372; rev:8; service:http; service:imap; service:pop3; )
01770 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom cprt field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"cprt|00|",nocase; content:"|00 00 00 0D|",within 4,distance -9; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21342; rev:7; service:http; service:imap; service:pop3; )
01771 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom 'dscp' field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"dscp|00|",nocase; byte_test:4,<=,0x0000000d,-9,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21341; rev:5; service:http; service:imap; service:pop3; )
01772 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom 'titl' field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"titl|00|",nocase; byte_test:4,<=,0x0000000d,-9,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21340; rev:5; service:http; service:imap; service:pop3; )
01773 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Adobe Flash Player MP4 zero length atom auth field attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"auth|00|",nocase; byte_test:4,<=,0x0000000d,-9,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0754; reference:url,www.adobe.com/support/security/bulletins/apsb12-03.html; classtype:attempted-user; sid:21339; rev:6; service:http; service:imap; service:pop3; )
01774 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player RealText buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"<time ",nocase; pcre:"/\x3ctime\x20[^\x3e]*(begin|end)\x3d\x22[^\x22]{13}/Osmi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-5036; classtype:attempted-user; sid:15166; rev:7; service:http; service:imap; service:pop3; )
01775 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows MPEG Layer-3 audio heap corruption attempt"; flow:to_client,established; flowbits:isset,file.mp3; file_data; content:"|FF FA 92 60 3C 6F|"; content:"|FF FA 92 C9 B9 56|",within 6,distance 412,fast_pattern; content:"|A9 00 04 48 58 DC E1 83 4B 68 32 01 9B BC 04 A3 27 0E A5 3D 71 66 0D 2D A8 D3 84 AF 3C 14 88 94 3E 89 CA BF 80 9C|",within 38; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1882; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-052; classtype:attempted-user; sid:17117; rev:9; service:http; service:imap; service:pop3; )
01776 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA FFmpeg OGV file format memory corruption attempt"; flow:to_client,established; file_data; content:"OggS",depth 4; content:"|82|theora",distance 0; byte_test:1,!&,0xE0,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,36465; reference:cve,2009-4631; reference:cve,2009-4632; reference:cve,2009-4633; reference:cve,2009-4634; reference:cve,2009-4635; reference:cve,2009-4636; reference:cve,2009-4637; reference:cve,2009-4638; reference:cve,2009-4639; reference:cve,2009-4640; reference:url,secunia.com/advisories/36805; classtype:attempted-user; sid:16353; rev:7; service:http; service:imap; service:pop3; )
01777 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player WAV processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.wav; file_data; content:"RIFF"; content:"WAVEfmt",distance 4; byte_test:4,>,0xfffffffc,1,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,30058; reference:cve,2008-2430; classtype:misc-activity; sid:15080; rev:7; service:http; service:imap; service:pop3; )
01778 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC real.c ReadRealIndex real demuxer integer overflow attempt"; flow:to_client,established; flowbits:isset,file.realmedia; file_data; content:"INDX"; byte_test:4,>,0x15555554,6,relative,big; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,32545; reference:cve,2008-5276; classtype:attempted-user; sid:15241; rev:8; service:http; service:imap; service:pop3; )
01779 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime SMIL qtnext redirect file execution attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"qt|3A|next"; pcre:"/qt\x3anext\s*\x3d\s*\x22\s*file\x3a\x2f{3}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,29650; reference:cve,2008-1585; classtype:attempted-user; sid:15487; rev:8; service:http; service:imap; service:pop3; )
01780 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA RealNetworks SMIL wallclock stack overflow attempt"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:"<smi",nocase; content:"wallclock|28|"; pcre:"/^[^\x29]*\x2E[0-9]{11}/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,24658; reference:cve,2007-3410; classtype:attempted-user; sid:12728; rev:7; service:http; service:imap; service:pop3; )
01781 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Media Player asf streaming format interchange data integer overflow attempt"; flow:to_client,established; file_data; content:"35907DE0-E415-11CF-A917-00805F5C442B"; byte_test:2, >, 65476, 52, relative; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-068; classtype:attempted-user; sid:13158; rev:6; service:http; )
01782 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Media Player asf streaming format audio error masking integer overflow attempt"; flow:to_client,established; file_data; content:"49F1A440-4ECE-11d0-A3AC-00A0C90348F6"; byte_jump:4, 8, relative; byte_test:2, >, 65527, 14, relative; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-068; classtype:attempted-user; sid:13159; rev:6; service:http; )
01783 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Media Player asf streaming audio spread error correction data length integer overflow attempt"; flow:to_client,established; file_data; content:"BFC3CD50-618F-11CF-8BB2-00AA00B4E220"; byte_test:4, >, 65522, 12, relative; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2007-0064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-068; classtype:attempted-user; sid:13160; rev:7; service:http; )
01784 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"|06 AF E1 00 EC 7B D1 11 A5 82 00 C0 4F C2 9C FB|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19450; rev:7; service:http; service:imap; service:pop3; )
01785 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media encryption sample ID header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"N|B8 98|f|FA 0A|0C|AE B2 1C 0A 98 D7 A4|M",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19449; rev:7; service:http; service:imap; service:pop3; )
01786 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media pixel aspect ratio header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"T|E5 1E 1B EA F9 C8|K|82 1A|7kt|E4 C4 B8|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19448; rev:7; service:http; service:imap; service:pop3; )
01787 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media content type header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:" |DC 90 D5 BC 07|lC|9C F7 F3 BB FB F1 A4 DC|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19447; rev:7; service:http; service:imap; service:pop3; )
01788 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media file name header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"|0E EC|e|E1 ED 19 D7|E|B4 A7|%|CB D1 E2 8E 9B|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19446; rev:7; service:http; service:imap; service:pop3; )
01789 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media Timecode header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"|EC 95 95|9g|86|-N|8F DB 98 81|L|E7|l|1E|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19445; rev:7; service:http; service:imap; service:pop3; )
01790 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media sample duration header RCE attempt"; flow:to_client,established; flowbits:isset,file.asf; file_data; content:"|CB A5 E6 14 72 C6 32 43 83 99 A9 69 52 06 5B 5A|"; content:"|00 00 00 00|",within 4,distance 4; byte_extract:4,-8,objectsize,relative,little; content:"P|94 BD C6 7F 86 07|I|83 A3 C7|y!|B7|3|AD|",distance 68,fast_pattern; byte_test:4,>,objectsize,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:19444; rev:6; service:http; service:imap; service:pop3; )
01798 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow GraphEdt closed captioning memory corruption"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|52 49 46 46 F8 C1 4E 0E 41 56 49 20 4C 49 53 54 90 7C 01 00 68 64 72 6C 61 76 69 68 38 00 00 00 56 82 00 00 5D FA 4C 01 00 02 00 00 10 08 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0004; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-004; classtype:attempted-user; sid:21078; rev:4; service:http; service:imap; service:pop3; )
01799 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Cinepak Codec VIDC decompression remote code execution attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|00 00 00 1B 00 00 B0 00 90 00 8F 10 00 00 30 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,42256; reference:cve,2010-2553; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-055; classtype:attempted-user; sid:19403; rev:9; service:http; service:imap; service:pop3; )
01800 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectX quartz.dll MJPEG content processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|32 32 32 32 32 32 FF C0 00 0B 08 00 F0 01 40 01 9C 11 01 FF DD 00 04 00 00 FF C4 00 9F 01 72 12 00 00 00 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,40432; reference:cve,2010-1879; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-033; classtype:attempted-user; sid:19146; rev:9; service:http; service:imap; service:pop3; )
01801 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA AVI file chunk length integer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"AVI LIST",depth 8,offset 8; content:"hdrlavih",within 8,distance 4; content:"INFO",distance 0; byte_extract:4,4,chunk_size,relative,little; isdataat:!chunk_size; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-3834; reference:url,forums.winamp.com/showthread.php?t=332010; classtype:attempted-user; sid:21168; rev:4; service:http; service:imap; service:pop3; )
01802 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Visual Basic 6.0 malformed AVI buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI ",within 4,distance 4; content:"strf"; byte_test:4,>,1088,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-4255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15104; rev:12; service:http; service:imap; service:pop3; )
01803 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile truncated media file processing memory corruption attempt"; flow:to_client,established,only_stream; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST",within 8,distance 4; content:"hdrlavih8|00 00 00|",within 12,distance 4; isdataat:!56,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:16342; rev:11; service:http; service:imap; service:pop3; )
01804 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows AVIFile media file processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"RIFF"; content:"AVI LIST",within 8,distance 4; content:"hdrlavih",within 8,distance 4; byte_test:4,!=,56,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,35970; reference:cve,2009-1545; reference:cve,2009-1546; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-038; classtype:attempted-user; sid:15854; rev:12; service:http; service:imap; service:pop3; )
01805 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectX malformed avi file mjpeg compression arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"P.|00 00 10|'|00 00 00 00 00 00 00 00 00 00|@|01 F0 00|strf|28 00 00 00 28 00 00 00|@|00 00 00 F0 00 00 00 01 00 18 00|MJPG|00 84|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-0011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-033; classtype:attempted-user; sid:15995; rev:9; service:http; service:imap; service:pop3; )
01806 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectX quartz.dll MJPEG content processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"|8E 8C 8B 8E 8C 8B 8E 8C 8C 8D 8B 8C 8D 8B 8C 8D 8B 8C 8D 8B 8C 8D 8B 8C FF C4 00 9F 01 72 12 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1879; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-033; classtype:attempted-user; sid:16661; rev:13; service:http; service:imap; service:pop3; )
01807 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Cinepak Codec VIDC decompression remote code execution attempt"; flow:to_client,established; flowbits:isset,file.avi.video; file_data; content:"00dc|52 0A 00 00 01 00 0A 52 00 50 00 3C 55 55 11 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2553; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-055; classtype:attempted-user; sid:17128; rev:11; service:http; service:imap; service:pop3; )
01810 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime STSD JPEG atom heap corruption attempt"; flow:to_client,established; flowbits:isset,file.quicktime|file.jpeg; file_data; content:"|00 00 00 56 6A 70 65 67 00 00 00 00 00 00 00 01 00 00 00 00 61 70 70 6C 00 00 00 00 00 00 02 00 00 02 00 03 00 48 00 00 00 48 00 00 00 00 00 00 00 01 0C 50 68 6F 74 6F 20 2D 20 4A 50 45 47 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33390; reference:cve,2009-0007; classtype:attempted-user; sid:17470; rev:5; service:http; )
01811 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA RealNetworks RealPlayer IVR Overly Long Filename Code Execution attempt"; flow:to_client,established; file_data; content:"|1F 5C 80 00 00 08 72 61 6D 34 2E 72 65 63 00 00 00 00 00 00 01 79|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33652; reference:cve,2009-0375; classtype:attempted-user; sid:17561; rev:4; service:http; )
01812 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Mplayer Real Demuxer stream_read heap overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer; file_data; content:".RMF",depth 4; content:"|14 76 69 64 65 6F 2F 78 2D 70 6E 2D 72 65 61 6C 76 69 64 65 6F 00 00 00 1A 59 49 59 55 56 49 44 4F 52 56 32 30 00 01 00 01 00 1E 59 49 59 55 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31473; reference:cve,2008-3827; classtype:attempted-user; sid:17469; rev:5; service:http; )
01813 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA RealNetworks RealPlayer QCP parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.qcp; file_data; content:"RIFF",depth 4; content:"QLCMfmt|20|",within 8,distance 4; byte_test:4,>,220,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2950; classtype:attempted-user; sid:20288; rev:7; service:http; service:imap; service:pop3; )
01814 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media Player codec code execution attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"strh"; content:"auds",within 4,distance 4,fast_pattern; byte_jump:4,-8,relative,little; isdataat:16,relative; content:"strf",within 4; content:"U|00|",within 2,distance 4; byte_test:4,!=,48000,2,relative,little; byte_test:4,!=,44100,2,relative,little; byte_test:4,!=,32000,2,relative,little; byte_test:4,!=,24000,2,relative,little; byte_test:4,!=,22050,2,relative,little; byte_test:4,!=,16000,2,relative,little; byte_test:4,!=,12000,2,relative,little; byte_test:4,!=,11025,2,relative,little; byte_test:4,!=,8000,2,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0480; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-026; classtype:attempted-user; sid:16543; rev:9; service:http; service:imap; service:pop3; )
01815 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA RealNetworks RealPlayer vidplin.dll avi header parsing execution attempt"; flow:to_client,established; flowbits:isset,file.avi; file_data; content:"strlstrh",fast_pattern,nocase; byte_jump:4,0,relative,little; content:!"strf",within 4,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,46047; reference:cve,2010-4393; classtype:attempted-user; sid:19169; rev:6; service:http; service:imap; service:pop3; )
01816 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes Playlist Overflow Attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"|23|EXTM3U",depth 7,nocase; isdataat:1000; pcre:"/https?\x3a\x2f\x2f[^\n\r]{1000}/Ri"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2005-0043; classtype:attempted-user; sid:18484; rev:9; service:http; service:imap; service:pop3; )
01817 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xspf; file_data; content:"smb|3A 2F 2F|"; pcre:"/smb\x3A\x2F\x2F[^\s\x0A\x0D\x3C]{251}/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,35500; reference:cve,2009-2484; reference:url,osvdb.org/show/osvdb/55509; classtype:attempted-user; sid:16752; rev:7; service:http; service:imap; service:pop3; )
01818 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; file_data; content:"smb|3A 2F 2F|"; pcre:"/smb\x3A\x2F\x2F[^\s\x0D\x0A\x3C]{251}/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,35500; reference:cve,2009-2484; reference:url,osvdb.org/show/osvdb/55509; classtype:attempted-user; sid:16751; rev:7; service:http; service:imap; service:pop3; )
01819 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA FFmpeg 4xm processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.4xm; file_data; content:"strk|28 00 00 00|"; byte_test:4,>,0x7ffffffe,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33502; reference:cve,2009-0385; classtype:attempted-user; sid:15871; rev:6; service:http; service:imap; service:pop3; )
01820 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player XSPF memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xspf; file_data; content:"<trackList><track>",nocase; content:"<identifier>-",distance 0; content:"</track></trackList>",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-4558; classtype:attempted-user; sid:15157; rev:9; service:http; service:imap; service:pop3; )
01821 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime SMIL File Handling Integer Overflow attempt"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:"<smil>"; pcre:"/meta\s*name\x3d\s*(?P<q1>(\x22|\x27|))(author|copyright|title|information)\s*(?P=q1)/smiR"; content:"content|3D 22|",distance 1,nocase; isdataat:1024,relative; content:!"|22|",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,24873; reference:cve,2007-2394; classtype:attempted-user; sid:17548; rev:10; service:http; service:imap; service:pop3; )
01822 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA RealNetworks RealPlayer SMIL wallclock parsing buffer overflow"; flow:to_client,established; flowbits:isset,file.smil; file_data; content:"smil ",nocase; content:"wallclock|28|",distance 0,nocase; pcre:"/wallclock\x28((\d{2}\x3A){2}\d{2}\.[^\x2b\x2d\x5a]{11}|\d{4}-\d{2}-\d{2}T(\d{2}\x3A){2}\d{2}\.[^\x2b\x2d\x5a]{11})/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,24658; reference:cve,2007-3410; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=547; classtype:attempted-user; sid:12219; rev:8; service:http; service:imap; service:pop3; )
01823 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectX SAMI file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.smi; file_data; content:"<SAMI",nocase; content:"<STYLE",distance 0,nocase; content:"text/css",within 200,nocase; isdataat:600,relative; content:!"</STYLE",within 600; pcre:"/\x3Cstyle[^\x3E]+?type\s*\x3D\s*(?P<q>(\x22|\x27|))text\x2Fcss(?P=q)[^\x3E]*\x3E.*^\s*\S+\s*\x7b[^\x7d]{500}/smiO"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-1444; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-033; classtype:attempted-user; sid:13823; rev:11; service:http; service:imap; service:pop3; )
01824 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mswmm; file_data; content:"P|00|r|00|o|00|d|00|u|00|c|00|e|00|r|00|.|00|d|00|a|00|t|00 00 00|",fast_pattern,nocase; byte_extract:4,94,low,relative,little; content:"W|00|m|00|t|00|o|00|o|00|l|00|s|00|V|00|a|00|l|00|i|00|d|00 00 00|",distance 0,nocase; byte_test:4,>,low,94,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0265; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-016; classtype:attempted-user; sid:19956; rev:7; service:http; service:imap; service:pop3; )
01825 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker string size overflow attempt"; flow:to_client,established; flowbits:isset,file.mswmm; file_data; content:"|00 10 00 00|AAAAAAAAAAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2564; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-050; classtype:attempted-user; sid:17135; rev:9; service:http; service:imap; service:pop3; )
01826 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Media Player Firefox plugin memory corruption attempt"; flow:to_client,established; flowbits:isset,file.wmv; file_data; content:"setTimeout|28 27|location|2E|reload|28 29 27 2C| 1000"; content:"autostart|3D|1 src=|22|invalid|2E|wmv|22|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2745; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-083; classtype:attempted-user; sid:17773; rev:9; service:http; service:imap; service:pop3; )
01827 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows Movie Maker string size overflow attempt"; flow:to_client,established; flowbits:isset,file.mswmm; file_data; content:"|00 12 00 00|AAAAAAAAAAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2564; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-050; classtype:attempted-user; sid:19063; rev:9; service:http; service:imap; service:pop3; )
01829 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime panorama atoms buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 00 00 00 00 00 01 A6 73 65 61 6E 00 00 00 01 00 00 00 04 00 00 00 00 00 00 41 41 70 64 61 74 00 00 00 01 00 00 00 00 00 00 00 00 00 02 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,26342; reference:cve,2007-4675; reference:url,docs.info.apple.com/article.html?artnum=306896; classtype:attempted-user; sid:17373; rev:5; service:http; )
01831 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime marshaled punk remote code execution"; flow:to_client,established; file_data; content:"_Marshaled_pUnk",nocase; pcre:"/name\s*=\s*(?P<q1>\x22|\x27|)_Marshaled_pUnk(?P=q1)/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:cve,2010-1818; classtype:attempted-user; sid:17211; rev:5; service:http; )
01832 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime pict image poly structure memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"|00 11 02 FF 0C 00|"; pcre:"/\x00[\x70-\x74]\x00[\x00-\x09]/isR"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,26345; reference:bugtraq,34938; reference:cve,2007-4676; reference:cve,2009-0010; classtype:attempted-user; sid:15384; rev:7; service:http; service:imap; service:pop3; )
01834 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime MOV Atom length buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.quicktime; file_data; content:"hspa"; content:"vrsg",distance 0; byte_test:2,>,0x7000,14,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0667; reference:url,support.apple.com/kb/HT5261; classtype:attempted-user; sid:24549; rev:2; service:http; service:imap; service:pop3; )
01836 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime movie buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4|file.m4v; file_data; content:"moov",nocase; content:"trak",distance 0,nocase; content:"mdia",distance 0,nocase; content:"minf",distance 0,nocase; content:"stbl",distance 0,nocase; content:"stsd",distance 0,nocase; content:"avc1",distance 0,nocase; content:"avcC",distance 0,nocase; content:"|FF E1|",within 2,distance 4; byte_test:2,>=,0x8000,0,relative,big; metadata:policy balanced-ips alert,policy security-ips alert,service http,service imap,service pop3; reference:cve,2006-4381; reference:url,support.apple.com/kb/TA24355; classtype:attempted-user; sid:24640; rev:2; service:http; service:imap; service:pop3; )
01839 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Mozilla products Ogg Vorbis decoding memory corruption attempt"; flow:to_client,established; file_data; content:"OggS|00|",depth 5; content:"|0A 42 64 86 A8 CA 34 3C 04 87 07 97 00 11 71 15|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,51753; reference:cve,2012-0444; classtype:attempted-user; sid:25297; rev:1; service:http; service:imap; service:pop3; )
01841 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime Targa image file buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.tga; content:"|00 00 02 00 00 00 00 00 00 00 00|",depth 11; content:"|E9 7F 58 02 18 00 72 64 33 6D 5E 2C 6D 5E 2C 6D|"; metadata:policy balanced-ips drop,service http,service imap,service pop3; reference:bugtraq,56438; reference:cve,2012-3755; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25376; rev:1; service:http; service:imap; service:pop3; )
01842 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime Targa image file buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.tga; content:"|00 00 02 00 00 00 00 00 00 00 00|",depth 11; content:"|AC 2A E9 03 18 00 00 00 00 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,service http,service imap,service pop3; reference:bugtraq,56438; reference:cve,2012-3755; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25377; rev:1; service:http; service:imap; service:pop3; )
01845 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Microsoft Windows DirectShow MPEG heap overflow attempt"; flow:to_client,established; flowbits:isset,file.mpeg; file_data; content:"|00 00 01 B3|AAAAAA|BA|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0077; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-011; classtype:attempted-user; sid:25795; rev:1; service:http; service:imap; service:pop3; )
01848 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes ITMS protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itms|3A|//",nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itms\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15703; rev:4; service:http; )
01849 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes ITMSS protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itmss|3A|//",nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itmss\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15704; rev:4; service:http; )
01850 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes PCAST protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"pcast|3A|//",nocase; pcre:"/(\x22|\x27)pcast\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15705; rev:3; service:http; )
01851 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes DAAP protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"daap|3A|//",nocase; isdataat:256,relative; pcre:"/(\x22|\x27)daap\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15706; rev:4; service:http; )
01852 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes ITPC protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itpc|3A|//",nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itpc\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,35157; reference:cve,2009-0950; classtype:attempted-user; sid:15707; rev:4; service:http; )
01853 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA VideoLAN VLC Media Player TY processing buffer overflow attempt"; flow:to_client,established; file_data; content:"|F5 46 7A BD 00 00 00 02 00 02 00 00|",depth 12; byte_test:4,>,32,8,relative,big; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,31813; reference:cve,2008-4654; classtype:attempted-user; sid:16720; rev:3; service:http; )
01854 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA ffdshow codec URL parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; content:"<param ",nocase; content:"URL",distance 0,nocase; pcre:"/<param\s+name\s*=\s*(?P<q1>\x22|\x27|)URL(?P=q1)[^>]+?value\s*=\s*(\x22|\x27)[^\x22\x27]{500}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32438; reference:cve,2008-5381; classtype:attempted-user; sid:17573; rev:5; service:http; )
01855 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Xenorate Media Player XPL file handling overflow attempt - 2"; flow:to_client,established; file_data; content:"AAAAAAAA|EB 06 90 90 4B 3F 01 11 90 90 90 90|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,osvdb.org/show/osvdb/57162; classtype:attempted-user; sid:16738; rev:3; service:http; )
01858 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple iTunes Playlist Overflow Attempt"; flow:to_client,established; flowbits:isset,file.pls; file_data; content:"[playlist]",depth 10,nocase; isdataat:1000; content:"File",distance 0; pcre:"/^\d+\x3Dhttps?\x3a\x2f\x2f[^\n\r]{1000}/Ri"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2005-0043; classtype:attempted-user; sid:26724; rev:1; service:http; service:imap; service:pop3; )
01859 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio version number anomaly"; flow:to_client,established; flowbits:isset,file.visio&file.ole; file_data; content:"Visio |28|TM|29| Drawing|0D 0A 00 00 00 00|"; pcre:"/Visio \x28TM\x29 Drawing\r\n\x00{4}([^\x00]|\x00[^\x00]|\x00\x00[^\x01-\x06\x0b]|\x00\x00[\x01-\x06\x0b][^\x00])/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,24349; reference:cve,2007-0934; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-030; classtype:misc-activity; sid:11836; rev:12; service:http; service:imap; service:pop3; )
01860 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel REPT integer underflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"|3D|rept|28|",nocase; pcre:"/\x3ccell\s+[^\x3e]*\x3aFormula\s*\x3d\s*\x22\s*\x3drept\x28/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,31706; reference:cve,2008-4019; classtype:attempted-user; sid:17734; rev:6; service:http; service:imap; service:pop3; )
01861 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works file converter file section header index table stack overflow attempt"; flow:to_client,established; flowbits:isset,file.works; file_data; content:"|22 07 00 00 00 22 22 22 22 00 22 06 00 00 00 02 00 46 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,27658; reference:cve,2008-0105; classtype:attempted-user; sid:17304; rev:5; service:http; service:imap; service:pop3; )
01862 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word information string overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|FE FF 00 00|"; content:"|E0 85 9F F2 F9 4F 68 10 AB 91 08 00 2B 27 B3 D9|",within 16,distance 24; byte_jump:4,0,relative,little,post_offset -48; byte_extract:4,0,sectLength,relative,little; content:"|1E 00 00 00|",within sectLength; byte_test:4,>,2147483647,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-1540; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-038; classtype:attempted-user; sid:7203; rev:12; service:http; service:imap; service:pop3; )
01863 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|13 08|"; content:"|13 08 00 00 00 00 00 00 00 00 00 00|",within 12,distance 2; pcre:"/^(.{3}[\x80-\xFF]|.{7}[\x80-\xFF])/sR"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1247; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16647; rev:9; service:http; service:imap; service:pop3; )
01864 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|02 10 10 00|"; content:"|33 10 00 00|",within 4,distance 16; content:"|54 08 0C 00 54 08 00 00|",distance 0; content:"|55 08 0C 00|",distance 8; content:"|55 08 0C 00|",within 4,distance 12; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0823; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16643; rev:8; service:http; service:imap; service:pop3; )
01865 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|",within 6,distance 2; content:"|0C 00 14 00|",within 4,distance 16; content:"|13 00|",within 2,distance 20; byte_test:2,>,1024,18,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,40520; reference:cve,2010-0822; reference:url,osvdb.org/show/osvdb/65236; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16638; rev:9; service:http; service:imap; service:pop3; )
01866 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with macro"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|",within 6,distance 2; content:"|0C 00 14 00|",within 4,distance 16; content:"|04 00|",within 2,distance 20; byte_jump:2,0,relative,little; content:"|13 00|",within 2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16639; rev:8; service:http; service:imap; service:pop3; )
01867 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with linkFmla"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|",within 6,distance 2; content:"|0C 00 14 00|",within 4,distance 16; content:"|0E 00|",within 2,distance 20; byte_jump:2,0,relative,little; content:"|13 00|",within 2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16640; rev:8; service:http; service:imap; service:pop3; )
01868 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel OBJ record stack buffer overflow attempt - with macro and linkFmla"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|5D 00|"; content:"|15 00 12 00 14 00|",within 6,distance 2; content:"|0C 00 14 00|",within 4,distance 16; content:"|04 00|",within 2,distance 20; byte_jump:2,0,relative,little; content:"|0E 00|",within 2; byte_jump:2,0,relative,little; content:"|13 00|",within 2; byte_test:2,>,0,0,relative,little; byte_jump:2,2,relative,little; byte_test:2,>,1024,14,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0822; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16641; rev:8; service:http; service:imap; service:pop3; )
01869 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel EntExU2 write access violation attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|0E 00 24 41 41 41 41 24 04 00 02 C0 42 02 04 00 D7 00 0C 00 A2 00 00 00 3C 00 0E 00 0E 00 0E 00 C2 01 0C 00 00 00 06 00 00 00 03 00 02 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38547; reference:cve,2010-0257; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:19133; rev:8; service:http; service:imap; service:pop3; )
01870 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel PtgExtraArray data parsing vulnerability exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|39 00 02 00 01 00 0F 00 02 00 1D 00 00 00 FF FF 01 00 C0 09 1B FC 1E 00 23 01 00 00 00 17 0A 00 43 6F 6E 6E 65 63 74 69 6F 6E 60 23 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43647; reference:cve,2010-3231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:19134; rev:8; service:http; service:imap; service:pop3; )
01871 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record parsing memory corruption"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|01 00 00 00 FF FF FF FF 00 11 6D 79 63 6F 6D 61|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,40525; reference:cve,2010-1247; classtype:attempted-user; sid:19412; rev:6; service:http; service:imap; service:pop3; )
01872 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft VBE6.dll stack corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|50 00 6F 00 69 00 6E 00 74 00 20 00 44 00 6F 00 63 00 75 00 6D 00|"; content:"|01 00 C3 0F 18 00 00 00|",distance 0; content:"|00 00 00 00|",within 4,distance 16; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,39931; reference:cve,2010-0815; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-031; classtype:attempted-user; sid:16593; rev:9; service:http; service:imap; service:pop3; )
01873 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio DXF variable name overflow attempt"; flow:to_client,established; flowbits:isset,file.dxf; file_data; content:"HEADER"; content:"9",distance 0; content:"|0A 24|",distance 0; isdataat:92,relative; content:!"|0A|",within 92; pcre:"/HEADER[\x20\r]*\n[\x20]*9[\x20\r]*\n\x24[^\n]{92}/"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,39836; reference:cve,2010-1681; classtype:attempted-user; sid:18331; rev:5; service:http; service:imap; service:pop3; )
01874 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word malformed table record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 13 3A FF FF FF 8C 0F 00 00 F0 38 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1903; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:17124; rev:7; service:http; service:imap; service:pop3; )
01876 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office RTF parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|5C|sp"; content:"|5C|sn",within 100,nocase; content:"pFragments",within 100,nocase; content:"|5C|sv",within 100,nocase; pcre:"/\x5Csv\s+[^\x7D]*?\x3B[^\x7D]*?\x3B[^\x7B]{12}/smi"; byte_test:4,>,4,8,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18067; rev:8; service:http; service:imap; service:pop3; )
01877 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel CrErr record integer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|09 08 08 00 00 05|"; content:"|65 08|",distance 0; byte_test:1,&,0x80,19,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3230; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17757; rev:9; service:http; service:imap; service:pop3; )
01878 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word XP PLFLSInTableStream heap overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|5C FE 00 01 02 5C FE 00 01 02 5C FE 00 01 02 5C FE 00 01 02 51 4A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3220; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-079; classtype:attempted-user; sid:17756; rev:9; service:http; service:imap; service:pop3; )
01879 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"4BF0D1BD8B85D111B16A00C0F0283628"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21797; rev:4; service:http; service:imap; service:pop3; )
01880 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"4BF0D1BD8B85D1116ab1283628f0c000"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21798; rev:4; service:http; service:imap; service:pop3; )
01881 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"E0F86B9944805046EBAD9CE91439010B"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21799; rev:4; service:http; service:imap; service:pop3; )
01882 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"B69041C78985D1116AD1283628F0C000"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21800; rev:4; service:http; service:imap; service:pop3; )
01883 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE MSCOMCTL ActiveX control deserialization arbitrary code execution attempt"; flow:to_client,established; file_data; content:"5FDC81917DE08A41A6AC"; pcre:"/5FDC81917DE08A41A6AC(E9B8ECA1EE.8|.98ECB1EEA8E)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21801; rev:4; service:http; service:imap; service:pop3; )
01884 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint malformed record call to freed object attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 00 00 00 00 00 1F 00 44 F1 F8 00 00 00 00|"; content:"|00 00 00 19 00 00 00 0F 00 2E F1 00 00 00 00 0F 00 2E F1 A0 00 00 00 00 00 3A F1 08 00 00 00 01|",within 32,distance 32; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0655; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-admin; sid:21647; rev:3; service:http; service:imap; service:pop3; )
01885 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|00 0B 00 0B 00 00 00 00 00 00 00 AA 00 00 00 03 A0 41 41 41 FF|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,50949; reference:cve,2011-3411; reference:url,osvdb.org/show/osvdb/77671; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-091; classtype:attempted-user; sid:21243; rev:5; service:http; service:imap; service:pop3; )
01886 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel FRTWrapper record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|51 08 00 00|AAAAAAAAAAAAAAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-3471; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-057; classtype:attempted-user; sid:16800; rev:11; service:http; service:imap; service:pop3; )
01887 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel BRAI record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|02 00 0B 00 51 10 08 00 00 01 01 00 FF 00 00 00 27 10 06 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0549; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; classtype:attempted-user; sid:18399; rev:9; service:http; service:imap; service:pop3; )
01888 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|51 10 0F 00 00 02 00 00 00 00 07 00 3A 00 00 00 00 00 00|"; content:"|51 10 13 00 01 02 00 00 00 00 0B 00 3B 00 00 00 00 00 00 01 00 03 00|",within 23,distance 16; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:18740; rev:10; service:http; service:imap; service:pop3; )
01889 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher tyo.oty field heap overflow attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|00 19 1D 00 04 04 01 00 01 00 F2 68 01 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips alert,service http,service imap,service pop3; reference:cve,2010-2569; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-103; classtype:attempted-user; sid:18212; rev:10; service:http; service:imap; service:pop3; )
01890 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher 97 conversion remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|00 FF FF 67 7E 66 00 48 D4 03 00 57 D7 03 00 FF FF 14 00 1A|"; metadata:policy balanced-ips drop,policy security-ips alert,service http,service imap,service pop3; reference:cve,2010-2571; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-103; classtype:attempted-user; sid:18214; rev:10; service:http; service:imap; service:pop3; )
01891 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel PtgExtraArray data parsing vulnerability exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00 75 00 14 00 01 00 40 00 00 00 90 22 BD 04 FF FF 00 00 12 00 01 FF 1E 00 23 02 00 00 00 17 0A 00 43 6F 6E 6E 65 63 74 69 6F 6E 60 01 00 00 00 00 00 04 42 03 FF 00 01 00 24|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43647; reference:cve,2010-3231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17758; rev:11; service:http; service:imap; service:pop3; )
01892 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00 91 00 07 00 01 00 41 00 00 00 E0 29 BD 04 FF FF 00 00 05 00 01 FF 1E 00 23 02 30 00 00 17 0A 00 43 6F 6E 6E 65 63 74 69 6F 6E 60 02|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43650; reference:cve,2010-3235; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17764; rev:12; service:http; service:imap; service:pop3; )
01893 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel invalid SerAr object exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|BD 04 FF FF 00 00 05 00 01 FF 1E 00 23 02 00 00 00 17 0A 00 43 6F 6E 6E 65 63 74 69 6F 6E 60 02 00 00 00 00 00 04 42 03 FF 00 02 00 00 B6 1E 00 00 5B 44 65 70 74 5D 2E 5B 57 73 7A 79 73 74 6B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3239; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17759; rev:12; service:http; service:imap; service:pop3; )
01894 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|13 08 48 00 13 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 00 00 00 00 11 6D 79 63 6F 6D 61 64 64 69 6E 2E 70 72 6F 67 69 64 00 0B 4C 4F 52 45 4D 5F 49 50 53 55 4D 05 50 72 69 63 65 10 00 00 00 2A 00 00 00 00 00 00 00 EA 4E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43655; reference:cve,2010-3240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17760; rev:11; service:http; service:imap; service:pop3; )
01895 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|10 00 00 00 2A 00 00 00 00 00 00 00 41 41 13 08 4F 00 13 08|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43655; reference:cve,2010-3240; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:18806; rev:10; service:http; service:imap; service:pop3; )
01896 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|E8 AC|"; content:"|08 20 E0 AC 01 00 09 C0 6E 00 00 00 41 00 41 00|",within 16,distance 30; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3954; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-103; classtype:attempted-user; sid:18230; rev:10; service:http; service:imap; service:pop3; )
01897 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint malformed record call to freed object attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|1F 00 44 F1 F8 00 00 00 00 00 27 F1 20 00 00 00|"; content:"|0F 00 3D F1 00 00 00 00 0F 00 31 F1 A0 00 00 00|",within 16,distance 32; content:"|1F 00 2C F1 18 00 00 00 00 00 28 F1 10 00 00 00|",within 16,distance 160; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0655; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-admin; sid:18635; rev:13; service:http; service:imap; service:pop3; )
01898 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio deserialization double free attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|FF FF FF FF 00 00 BF 8E 22 BD 3E 68 9C 83 00 00 01 00 1D 02|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0092; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-008; classtype:attempted-user; sid:18415; rev:10; service:http; service:imap; service:pop3; )
01899 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio Data Type Memory Corruption"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|80 12 00 0F 00 41 41 38 A4 EF 66 04 00 02 EC F0|"; content:"|56 41 52 43 48 41 A1 52 DC FF|",within 10,distance 16; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,46138; reference:cve,2011-0093; classtype:attempted-user; sid:18755; rev:10; service:http; service:imap; service:pop3; )
01900 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio ORMinfo classes length overflow attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|F2 04 58 41 03 00 47 00 00 00 42 00 00 00 00 00 7B DA 02 EB F0 01 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-008; classtype:attempted-user; sid:18417; rev:10; service:http; service:imap; service:pop3; )
01901 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio ORMinfo classes length overflow attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|FF FF FF FF 00 00 98 0C 3C BF 61 D1 D2 C9 00 00 01 00 02|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0093; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-008; classtype:attempted-user; sid:18416; rev:10; service:http; service:imap; service:pop3; )
01902 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel FNGROUPNAME record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|9A 00 09 00 FF FF 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38553; reference:cve,2010-0262; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-017; classtype:attempted-user; sid:20029; rev:7; service:http; service:imap; service:pop3; )
01903 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint malformed record call to freed object attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 00 00 1F 00 44 F1 F8 00 00 00 00 00 27 F1|"; content:"|19 00 00 00 0F 00 3D F1 00 00 00 00 0F 00 31 F1|",within 16,distance 32; content:"|FF FF FF FF 1F 00 32 F1 18 00 00 00 00 00 28 F1|",within 16,distance 160; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0655; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-022; classtype:attempted-admin; sid:19811; rev:9; service:http; service:imap; service:pop3; )
01904 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word sprmCMajority record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|47 CA FF 00 00 00 00 00 00 00 00 00 00 01 32 00 31 90|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,42136; reference:cve,2010-1900; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-056; classtype:attempted-user; sid:19459; rev:7; service:http; service:imap; service:pop3; )
01905 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word sprmCMajority record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|47 CA FF 3E C6 FF 41 41 41 41 00 00 00 01 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,42136; reference:cve,2010-1900; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-056; classtype:attempted-user; sid:19458; rev:7; service:http; service:imap; service:pop3; )
01906 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher pubconv.dll corruption attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|39 00 39 00 39 00 39 01 1D 00 04 04 01 00 01 00 E2 00 01 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,45277; reference:cve,2010-2569; classtype:attempted-user; sid:19306; rev:7; service:http; service:imap; service:pop3; )
01907 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel PtgExtraArray parsing attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|69 6F 6E 60 01 00 00 B4 01 C7 03 42 03 FF 00 01 00 00 41 41 41 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43654; reference:cve,2010-3239; classtype:attempted-user; sid:19154; rev:6; service:http; service:imap; service:pop3; )
01908 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint converter bad indirection remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 20 02 00 00 18 00 00 00 B1 0F 00 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 00 10 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-088; classtype:attempted-user; sid:18948; rev:10; service:http; service:imap; service:pop3; )
01909 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|1D 00 00 00 FF FF 21 00 34 02 C7 FC 1E 00 23 30 00 00 00 17|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43650; reference:cve,2010-3235; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:18538; rev:8; service:http; service:imap; service:pop3; )
01910 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE OpenOffice.org Microsoft Office Word file processing integer underflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|08 D6 05 80 05 94 FF E0 10 2C 22 00 06 4C 11 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38218; reference:cve,2009-3301; classtype:attempted-user; sid:18536; rev:8; service:http; service:imap; service:pop3; )
01911 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Global Array Index Heap Overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|22 B0 08 07 23 90 A0 05 24 90 A0 05 33 50 00 19 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,32583; reference:cve,2008-4026; classtype:attempted-user; sid:17560; rev:7; service:http; service:imap; service:pop3; )
01912 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel MalformedPalete Record Memory Corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 80 00 FF 93 02 04 00 14 80 05 FF 92 00 E2 00 80 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,21922; reference:cve,2007-0031; classtype:attempted-user; sid:17542; rev:8; service:http; service:imap; service:pop3; )
01913 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel unspecified memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 00 00 00 0D 10 7E 00 00 00 3B 01 77 00 30 00 30 00 74 00 2C 00 20 00 4D 00 61 00 72 00 63 00 20 00 42 00 65 00 68 00 61 00 72 00 20 00 67 00 69 00 76 00 65 00 73 00 20 00 30 00 2E 00 30 00 31 00 24 00 20 00 62 00 6C 00 6F 00 77 00 6A 00 6F 00 62 00 20 00 61 00 74 00 20 00 65 00 62 00 61 00 79 00 2C 00 20 00 67 00 6F 00 67 00 6F 00 67 00 6F|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,15926; classtype:attempted-user; sid:17539; rev:9; service:http; service:imap; service:pop3; )
01914 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel unspecified memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|53 68 65 65 74 31 00 00 00 00 00 00 53 68 65 65 74 32 00 00|",depth 20,offset 688; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,15926; classtype:attempted-user; sid:17538; rev:9; service:http; service:imap; service:pop3; )
01915 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel unspecified memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 00 00 0C 00 77 30 30 74 77 30 30 74 77 30 30 74 8C 00 04 00 21 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,15926; classtype:attempted-user; sid:17537; rev:9; service:http; service:imap; service:pop3; )
01916 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint TxMasterStyle10Atom atom numLevels buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 F8 03|"; byte_extract:4,4,master_record,relative,little; content:"|B2 0F|",within master_record; byte_test:2,>,5,4,relative,little; byte_test:1,<,0x90,-4,relative; byte_test:1,!&,0x01,-4,relative; byte_test:1,!&,0x02,-4,relative; byte_test:1,!&,0x04,-4,relative; byte_test:1,!&,0x08,-4,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-1455; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-051; classtype:attempted-user; sid:13971; rev:13; service:http; service:imap; service:pop3; )
01917 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|",depth 8; content:"|0A F0 08 00 00 00|"; byte_test:2,&,1024,4,relative,little; byte_test:2,&,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,28146; reference:cve,2008-0118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-016; classtype:attempted-user; sid:13572; rev:16; service:http; service:imap; service:pop3; )
01918 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel malformed formula parsing code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|07 C9 C0 00 00 06 03 00 00 18 00 FF 02 00 00 02 7C 7C 7C 7C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,28167; reference:cve,2008-0115; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-014; classtype:attempted-user; sid:17655; rev:9; service:http; service:imap; service:pop3; )
01919 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"Sheet"; content:"|51 08|",distance 0; byte_test:2,<,8,0,relative,little; content:"|51 08|",within 2,distance 2; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-3471; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-057; classtype:attempted-user; sid:14641; rev:14; service:http; service:imap; service:pop3; )
01920 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel country record arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|8C 00 04 00|"; byte_test:2,>,5,0,relative,little; content:"|18 00|",within 2,distance 4; content:"|20 00|",within 2,distance 2; byte_test:2,>,14,12,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-3006; reference:cve,2008-4266; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-043; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-074; classtype:attempted-user; sid:13972; rev:16; service:http; service:imap; service:pop3; )
01921 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio invalid ho tag attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|0D 14 00 03 00 01 00 16 00 03 00 01 01 02 FF 00 A4 02 A7 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33660; reference:cve,2009-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-005; classtype:attempted-user; sid:15299; rev:11; service:http; service:imap; service:pop3; )
01922 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio invalid ho tag attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|00 02 0B|@|00 00 00 00 00 00 00 00 FE 00 FF 00 90 03 A7 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33660; reference:cve,2009-0096; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-005; classtype:attempted-user; sid:16318; rev:9; service:http; service:imap; service:pop3; )
01923 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint PP7 Component buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|CC 0F 00 00 FF FF 00 00|"; byte_test:4,>,0x100,0,relative,little; byte_extract:4,0,length,relative,little; content:"|00 00 00 00|",within 4; content:"|BA 0F 00 00|",within length; byte_test:4,>,0x100,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-1129; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:15499; rev:12; service:http; service:imap; service:pop3; )
01924 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Document remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|EC A5|"; byte_test:2,<,38,0,relative,little; byte_test:4,>,0,22,relative,little; byte_test:4,<,250,22,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3135; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-068; classtype:attempted-user; sid:16586; rev:9; service:http; service:imap; service:pop3; )
01925 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Document remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|DC A5|"; byte_test:2,<,38,0,relative,little; byte_test:4,>,0,22,relative,little; byte_test:4,<,250,22,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3135; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-068; classtype:attempted-user; sid:16234; rev:10; service:http; service:imap; service:pop3; )
01926 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint paragraph format array inner header overflow attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|1C 00 00 00 00 80 41 41 41 41 41 41 95 00 FF FF 64|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,34833; reference:cve,2009-0220; classtype:attempted-user; sid:17695; rev:8; service:http; service:imap; service:pop3; )
01927 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint LinkedSlide memory corruption"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 E7|.|08 00 00 00|"; byte_test:4, >, 1000000, 4, relative, little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0221; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:15500; rev:11; service:http; service:imap; service:pop3; )
01928 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint HashCode10Atom memory corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|0F 00 F0 03|"; content:"|00 00|+",within 3,distance 5; isdataat:4,relative; content:!"|04 00 00 00|",within 4; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-1130; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:15505; rev:9; service:http; service:imap; service:pop3; )
01929 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint file LinkedSlide10Atom record parsing heap corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 E7|.|08 00 00 00|"; byte_jump:4,4,relative,multiplier 16,little; content:"|00 00 E6|.|08 00 00 00|",within 8; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0030; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-004; classtype:attempted-user; sid:16410; rev:8; service:http; service:imap; service:pop3; )
01930 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint CurrentUserAtom remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 F6 0F|"; content:"|14 00 00 00|",within 4,distance 4; byte_test:2,>,255,8,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-1131; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-017; classtype:attempted-user; sid:15506; rev:9; service:http; service:imap; service:pop3; )
01931 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel Qsir and Qsif record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 08|"; content:"|06 08|",within 2,distance 2; byte_test:1,&,0x10,16,relative; byte_test:1,!&,0x40,16,relative; byte_test:4,>,0,18,relative,little; content:"|07 08|",distance 0; content:"|07 08|",within 2,distance 2; byte_test:1,&,8,2,relative; byte_test:1,<,0x10,2,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-1134; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; classtype:attempted-user; sid:15542; rev:9; service:http; service:imap; service:pop3; )
01932 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel FeatHdr BIFF record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"g|08|"; content:"|04 00|",within 2,distance 14; content:"|04 00|",within 2,distance 1; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3129; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:16241; rev:8; service:http; service:imap; service:pop3; )
01933 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio Malformed IconBitsComponent arbitrary code execution attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|00 00| |00| |FF 00 00 14 01 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0095; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-005; classtype:attempted-user; sid:15303; rev:11; service:http; service:imap; service:pop3; )
01934 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel SST record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"Sheet"; content:"|FC 00|",distance 0; byte_test:4,>,0,2,relative,little; byte_test:4,>,0x10000000,6,relative,little; byte_test:2,>,10,0,relative,little; byte_test:2,<,8225,0,relative,little; byte_jump:2,0,relative,little; pcre:"/^(\xFF|\x3C)\x00/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,36042; reference:cve,2009-0561; reference:cve,2009-3037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-021; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21396492; classtype:attempted-user; sid:15541; rev:13; service:http; service:imap; service:pop3; )
01935 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel DbOrParamQry.fWeb parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|DC 00 0C 00|"; byte_test:1,!&,0x07,0,relative,little; byte_test:1,&,0x48,0,relative,little; content:"|CD 00|",within 2,distance 12; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16471; rev:9; service:http; service:imap; service:pop3; )
01936 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel DbOrParamQry.fWeb parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|DC 00 0C 00|"; byte_test:1,&,0x03,0,relative,little; byte_test:1,&,0x40,0,relative,little; content:"|CD 00|",within 2,distance 12; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16470; rev:9; service:http; service:imap; service:pop3; )
01937 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel DbOrParamQry.fOdbcConn parsing remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|DC 00 0C 00|"; byte_test:1,&,0x06,0,relative,little; byte_test:1,&,0x08,0,relative,little; content:"|CD 00|",within 2,distance 12; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16469; rev:9; service:http; service:imap; service:pop3; )
01938 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint integer underflow heap corruption attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|42 F1 00 00 00 00 03|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2573; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-088; classtype:attempted-user; sid:18066; rev:10; service:http; service:imap; service:pop3; )
01939 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher oversized oti length attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|E8 AC|"; content:"|2C 01 04 00|",within 4,distance 2; byte_test:2,>,94,26,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3955; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-103; classtype:attempted-user; sid:18231; rev:9; service:http; service:imap; service:pop3; )
01940 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher 2007 pointer dereference attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|01 2C 01 2B 01 2A 01 2F 01 2E 01 2D 01 52 00 12 12 00 00 00|"; content:"|02 00 13 00|",within 4,distance 11; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,35599; reference:cve,2009-0566; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-030; classtype:attempted-user; sid:19932; rev:8; service:http; service:imap; service:pop3; )
01941 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel format record code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|",depth 8; content:"|09 08 10 00 00 06|",distance 0; content:"|1E 04|",distance 0,fast_pattern; byte_test:2,>,392,2,relative,little; byte_test:2,>,4,0,relative,little; byte_test:2,<,256,4,relative,little; content:"Sheet1",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-3005; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-043; classtype:attempted-user; sid:19552; rev:9; service:http; service:imap; service:pop3; )
01942 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word malformed index code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|02 00 60 00 0C 14 FF 00 04 61 D5 00 B0 00 08 00 53 00 75 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43766; reference:cve,2010-2750; classtype:attempted-user; sid:19153; rev:7; service:http; service:imap; service:pop3; )
01943 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint bad text header txttype attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 00 00 9F 0F 04 00 00 00|"; byte_test:1,>,8,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-0022; reference:cve,2011-1269; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-036; classtype:attempted-user; sid:16188; rev:10; service:http; service:imap; service:pop3; )
01944 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|E0 85 9F F2 F9 4F 68 10 AB 91 08 00 2B 27 B3 D9 30 00 00 00|"; content:"|11 00 00 00|",distance 0; content:"|47 00 00 00|",distance 0; content:"|08 00 00 00 28 00 00 00|",within 8,distance 8; pcre:"/^(?=.{10}[\x01\x04\x08\x16\x24\x32]\x00)(.{3}[\x55-\xFF]|.{31}[\x80-\xFF])/sR"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3970; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-006; classtype:attempted-user; sid:18265; rev:8; service:http; service:imap; service:pop3; )
01945 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint Legacy file format picture object code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|FF 03 00 00 00 60 16 8F 10 00 00 00 00 5F 07 90 08 28 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,34834; reference:cve,2009-0223; classtype:attempted-user; sid:17646; rev:6; service:http; service:imap; service:pop3; )
01946 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word SmartTag record code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|13 1F 14 FF 95 80 FF FF 01 00 00 00 00 00 28 2C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,30124; reference:cve,2008-2244; classtype:attempted-user; sid:17308; rev:6; service:http; service:imap; service:pop3; )
01947 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word document stream handling code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|A8 00 00 00 00 00 00 00 41 41 41 41 10 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,25567; reference:cve,2007-0870; classtype:attempted-user; sid:17368; rev:6; service:http; service:imap; service:pop3; )
01948 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel IMDATA buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|7F 00 54 01 09 00 01 00 00 00 00 00 0C 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,21856; reference:cve,2007-0027; classtype:attempted-user; sid:17362; rev:6; service:http; service:imap; service:pop3; )
01949 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word TextBox sub-document memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc&file.ole; file_data; content:"|FF FF FF FF FF FF EC A5 C1 00 4D 20 09 04 00 00 F0 12 BF 00|"; content:"|09 04 16 00 22 0C 00 00 80 57 00 00 80 57 00 00 02|"; content:"|00 00 00 00 00 00 00 00 FF FF 0F 00|",within 12,distance 23; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,23380; reference:cve,2007-1910; reference:url,osvdb.org/show/osvdb/37633; classtype:attempted-user; sid:17301; rev:7; service:http; service:imap; service:pop3; )
01950 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel sheet name memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|01 16 01 00 00 F0 00 00 00 2C 03 00 00 D4 00 00 00 00 02 00 00 FF FF FF FF 34 03 00 00 D8 03 00|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,24691; reference:cve,2007-3490; classtype:attempted-user; sid:17227; rev:9; service:http; service:imap; service:pop3; )
01951 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft HtmlDlgHelper ActiveX clsid access"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"3050f4e1-98b5-11cf-bb82-00aa00bdce0b"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3329; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-071; classtype:attempted-user; sid:17770; rev:10; service:http; service:imap; service:pop3; )
01952 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pub; file_data; content:"|00 00 01 18 E8 AC 02 68 43 43 43 00 03 20 13 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,27739; reference:cve,2008-0102; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-012; classtype:attempted-user; sid:13470; rev:15; service:http; service:imap; service:pop3; )
01953 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office WordPad and Office Text Converters PlcPcd aCP buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|02 10 00 00 00 00 00 00 00|"; byte_test:4,>,2147483648,0,relative,little; content:"|00 00 10|",within 3,distance 5; content:"@|00 00 FF FF 01 00|",within 8; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0235; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-010; classtype:attempted-user; sid:15467; rev:11; service:http; service:imap; service:pop3; )
01954 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|F6 03 00 00 FF 7F 12 D6 FC 12 D6 FC|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0563; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:15524; rev:10; service:http; service:imap; service:pop3; )
01955 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|07 07 07 52 07 45 07 50 07 52 07 4F 07 07 07|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0563; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:17742; rev:8; service:http; service:imap; service:pop3; )
01956 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 00 E9 62 F9 FF FF 13 98 FE 0C|4|00 FF 8F FF E7 40 40 40|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0565; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:17691; rev:8; service:http; service:imap; service:pop3; )
01957 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 00 0D 0A 11|h|01 13 98 FE 0C|4|00 FF 8F 08 00 00 FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0565; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:15525; rev:10; service:http; service:imap; service:pop3; )
01958 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 00 0D 0A 11|h|01 13 98 FE 0C|4|00 FF 8F 08 00 00 01 00 00 00 01 00 68 01 78|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0565; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-027; classtype:attempted-user; sid:17690; rev:8; service:http; service:imap; service:pop3; )
01959 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows WordPad and Office text converter integer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|C0 00 00 00 16 00 00 00 C8 00 00 00 0D 00 00 00 D0 00 00 00 0C 00 00 00 E1 00 00 00|"; byte_test:4,>,357913941,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2506; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-073; classtype:attempted-user; sid:16314; rev:8; service:http; service:imap; service:pop3; )
01960 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel ptg index parsing code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00 05 1E 02 00 1E 03 00 05 1E 04 00 05 1E 05 00 05 1E 06 00 05 1E 03 00 1E 04 00|B|04|G|00 D7 00 06 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3132; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:16553; rev:8; service:http; service:imap; service:pop3; )
01961 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel integer field in row record improper validation remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|08 00|P|00 00 FF 00 00 0A AA|A|8D 86 84|7|0E FF FF 00 00 00 00 00 FE 0D|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3130; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:16226; rev:8; service:http; service:imap; service:pop3; )
01962 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word GDI+ Office Art Property Table remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"c|00 0B F0 24 00 00 00 7F 00 04 00 04 00|X|01 00 00 00 00|V|00|AAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16177; rev:9; service:http; service:imap; service:pop3; )
01963 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel GDI+ Office Art Property Table remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"3|01 0B F0 8C 02 00 00 7F 00 08 00 08 00|E|C1 A8 01 00 00|F|C1 1C 00 00 00|Q|C1|&|00 00 00|U|C1 00 00 00 00|V|C1 00 00 00 00|W|C1 16 00 00 00|V|00|AAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-062; classtype:attempted-user; sid:16178; rev:9; service:http; service:imap; service:pop3; )
01964 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel oversized ptgFuncVar cparams value buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 00|J|00|"; content:"|03 1E 0A 00|B|04|G|00|",within 8,distance 66; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3132; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-067; classtype:attempted-user; sid:16233; rev:9; service:http; service:imap; service:pop3; )
01965 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio improper attribute code execution attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"|19 00 1A 00 1B 00 1C 00 1D 00 1E 00 1F 00| |00|h|00 00 00 02|U|00 00 F8 00 00 00 00 00 00 00|@"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0254; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-028; classtype:attempted-user; sid:16535; rev:10; service:http; service:imap; service:pop3; )
01966 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio off-by-one in array index code execution attempt"; flow:to_client,established; flowbits:isset,file.visio; file_data; content:"h|00 07 00 01|T|00 00 C8 01 00 00 00 00 00 00|I|00 00 00 00 00 00 F0|?A|00 00 00 00 00 00 E0|?A|00 00 00 00 00 00 B0|?A|00 00 00 00 00 00 B0 BF|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0256; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-028; classtype:attempted-user; sid:16536; rev:10; service:http; service:imap; service:pop3; )
01967 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel BIFF5 formulas from records parsing code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|3B FF FF 00 00 00 00 00 00 01 00 00 00 00 00 01 00 01 00 00 02|"; content:"|3B FF FF 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 02|",within 21,distance 12; content:"|3B FF FF 00 00 00 00 00 00 01 00 00 00 00 00 02 00 02 00 00 02|",within 21,distance 74; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16463; rev:8; service:http; service:imap; service:pop3; )
01968 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel BIFF8 formulas from records parsing code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|3B 00 00 01 00 01 00 00 00 02 00|"; content:"|3B 00 00 00 00 00 00 00 00 02 00|",within 11,distance 12; content:"|3B 00 00 02 00 02 00 00 00 02 00|",within 11,distance 92; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16462; rev:8; service:http; service:imap; service:pop3; )
01969 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel uninitialized stack variable code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:">|02 12 00 B6 06 00 00 00 00|@|00 00 00 00 00 00 00 00 00 00 00 1D 00 0F 00 03 00 00 00 00 00 00 01 00 00 00 00 00 00 00 9A 00 06 00 FF FF 00 00 00 00 0A 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0262; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16466; rev:8; service:http; service:imap; service:pop3; )
01970 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel WOpt record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|0B 08 3F 00 2C 00 3A 00 00 5F 28 22 24 22 2A 20 23 2C 23 23 1F 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0824; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16644; rev:8; service:http; service:imap; service:pop3; )
01971 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B0 00 3D 00 02 00 08 00 00 00 01 00 04 00 04 00 01 00 FF 7F|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1245; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16645; rev:8; service:http; service:imap; service:pop3; )
01972 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|13 08 E9 0B 0F 00 00 F0 E1 0B 00 00 00 00 06 F0 00 00 00 00 02 04 00 00 02 00 00 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1246; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16646; rev:9; service:http; service:imap; service:pop3; )
01973 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 1"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|13 08 E9 0B 0F 00 00 F0 E1 0B 00 00 00 00 06 F0 00 01 00 00 00 FF FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1247; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-038; classtype:attempted-user; sid:16648; rev:8; service:http; service:imap; service:pop3; )
01974 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Access ACCWIZ library release after free attempt - 1"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|b|00|j|00|e|00|c|00|t|00|P|00|o|00|o|00|l|00|"; content:"|18 00 01 01 FF FF FF FF FF FF FF FF 06 00 00 00 27 03 23 53 2B 17 D0 11 AD 40 00 A0 C9 0D C8 D9|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1881; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-044; classtype:attempted-user; sid:17038; rev:8; service:http; service:imap; service:pop3; )
01975 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word sprmCMajority SPRM overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|01 08 5B 05 68 45 DE 11 13 6D 48 7B 07 7D 28 F0 6D 48 44 06 07|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1900; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-056; classtype:attempted-user; sid:17119; rev:8; service:http; service:imap; service:pop3; )
01976 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint converter bad indirection remote code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|00 00 0D 00 00 00 B0 0F 00 00 FF FF 00 00 8C 01 00 00 18 00 00 00 B1 0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B3|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-088; classtype:attempted-user; sid:18065; rev:8; service:http; service:imap; service:pop3; )
01977 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word bookmark bound check remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 00 62 00 00 00 75 00 00 00 7E 00 00 00 8A 00 00 00 02 00 00 00 02 00 00 00 00 00 02 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3216; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-079; classtype:attempted-user; sid:17754; rev:9; service:http; service:imap; service:pop3; )
01978 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word unchecked index value remote code execution attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|E0 10 11 84 00 00 15 C6 05 00 01 48 12 06 5E 84 E0 10 60 84 00 00 6F 28 00 87 68 00 00 00 00 88|"; content:"|0F 84 1C 11 11 84 4C FF 15 C6 05 00 01 1C 11 06|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-079; classtype:attempted-user; sid:17755; rev:10; service:http; service:imap; service:pop3; )
01979 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel GhostRw record exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|20 00 05 19 40 00 01 1E 01 00 19 40 00 01 03 1F 00 00 00 00 00 00 10 41 1E 00 04 05 19 40 00 01 1E 01 00 19 40 00 01 03 1E 10 00 1E 00 01 05 19 40|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3242; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-080; classtype:attempted-user; sid:17763; rev:8; service:http; service:imap; service:pop3; )
01980 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel malformed MsoDrawingObject record attempt"; flow:established, to_client; flowbits:isset,file.xls; file_data; content:"|18 6A CB 01 70 7E 13 F2 DE 6E CB 01 06 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3335; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18068; rev:8; service:http; service:imap; service:pop3; )
01981 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Converter XST structure buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|5F B3 AC 33 42 1E DA DE 51 CA FA 0D 4F 71 3C 4B BE EC 72 87 2B 4D 06 22 A7 4C 49 75 6A E0 37 20 BB 29 CB A9 2E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-4841; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-010; classtype:attempted-user; sid:17406; rev:7; service:http; service:imap; service:pop3; )
01982 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Converter XST structure buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|11 84 98 FE 5E 84 68 01 60 84 98 FE 4F 4A 06 00 51 4A 06 00 6F 28 00 87 68 00 00 00 00 88 48 00 00 42 43 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-4841; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-010; classtype:attempted-user; sid:17404; rev:7; service:http; service:imap; service:pop3; )
01983 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office TIFFIM32.FLT filter memory corruption attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|01 02 00 03 00 00 FF FF 00 00 0D 00 01 03 00 03 00 00 00 01 00 03 00 00 01 06 00 03 00 00 00 01 00 00 00 00 01 0A 00 03|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3949; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:18236; rev:10; service:http; service:imap; service:pop3; )
01984 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Converter sprmTTextFflow overflow attempt"; flow:to_client,established; file_data; content:"|29 76 00 FF E0 01 13 D6 30 00 00 00 FF 04 01 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-033; classtype:attempted-user; sid:18643; rev:9; service:http; service:imap; service:pop3; )
01985 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Converter sprmTSplit overflow attempt"; flow:to_client,established; file_data; content:"|25 56 00 FF 05 D6 18 04 01 00 00 04 01|",fast_pattern; content:"|08 D6 1A 00 01 94 FF 2C 22 00 06 98 22|",within 50; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-033; classtype:attempted-user; sid:18642; rev:9; service:http; service:imap; service:pop3; )
01986 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office BpscBulletProof uninitialized pointer dereference attempt"; flow:to_client,established; file_data; content:"|0F 00 03 18 79 3B 00 00 0F 00 04 F0 48 05 00 00 01 00 09|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1982; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-073; classtype:attempted-user; sid:20129; rev:6; service:http; service:imap; service:pop3; )
01987 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel SLK file excessive Picture records exploit attempt"; flow:to_client,established; flowbits:isset,file.slk; file_data; content:"|0A|P|3B|PAAAA"; content:"|0A|P|3B|PAAAA",distance 0; content:"|0A|P|3B|PAAAA",distance 0; content:"|0A|P|3B|PAAAA",distance 0; content:"|0A|P|3B|PAAAA",distance 0; content:"|0A|P|3B|PAAAA",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1276; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:20049; rev:7; service:http; service:imap; service:pop3; )
01988 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 26 00 00 00 7F 00 80 00 80 00 04 41 64 00 00 00 05 C1 0E 00 00 00 06 01 01 00 00 00 53|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:17310; rev:7; service:http; service:imap; service:pop3; )
01989 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Converter sprmTSplit overflow attempt"; flow:to_client,established; file_data; content:"|00 00 29 76 00 FF E0 01 13 D6 30 00 00 00 FF 04 01 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-033; classtype:attempted-user; sid:19707; rev:7; service:http; service:imap; service:pop3; )
01990 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|00 00 05 00 00 00 07 08 00 00 0F 00 EF 03 00 00 00 00 0F 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38073; reference:cve,2010-0243; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-003; classtype:attempted-user; sid:19442; rev:7; service:http; service:imap; service:pop3; )
01991 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_client,established; flowbits:isset,file.cgm; file_data; content:"|20 42 00 01 00 80 41 3F 8F F8 00 00 00 95 00 C7 00 00 00 C7 00 95 00 AA 00 96 00 08 00 00 00 0C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3945; reference:cve,2012-2524; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-057; classtype:attempted-user; sid:19156; rev:8; service:http; service:imap; service:pop3; )
01992 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel 2007 invalid comments.xml uninitialized pointer access attempt 3"; flow:to_client,established; file_data; content:"|6C 2F 63 6F 6D 6D 65 6E 74 73 31 2E 78 6D 6C AC AA AA AA AA|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:18541; rev:7; service:http; service:imap; service:pop3; )
01993 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint malformed shapeid arbitrary code execution attempt"; flow:to_client,established; file_data; content:"|0A F0 08 00 00 00 01 20 01 00 56 61 9A 92 B3 65 82 F0 30 00 00 00 81 01 00 00 B4 B0|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,28146; reference:cve,2008-0118; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-016; classtype:attempted-user; sid:18514; rev:9; service:http; service:imap; service:pop3; )
01994 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint PP7 File Handling Memory Corruption attempt"; flow:to_client,established; file_data; content:"|08 00 00 00 00 00 00 00 AA FF FF 3F 00 00 00 00 FD 03 00 00 01 00 00 00 34 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,34880; reference:cve,2009-0225; classtype:attempted-user; sid:17565; rev:6; service:http; service:imap; service:pop3; )
01995 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher Object Handler Validation Code Execution attempted"; flow:to_client,established; file_data; content:"|00 00 03 68 1A 01 00 00 34 00 00 00 01 20 01 00|"; content:"|01 20 1D 01 00 00 02 20 1C 01 00 00 03 90 5A 05 00 00 00 78 00 78|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,29158; reference:cve,2008-0119; classtype:attempted-user; sid:17383; rev:6; service:http; service:imap; service:pop3; )
01996 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio Object Header Buffer Overflow attempt"; flow:to_client,established; file_data; content:"|10|@|DE|naaa|87|a|17|@|DE FD F2 F1 09|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-1089; classtype:attempted-user; sid:15163; rev:7; service:http; service:imap; service:pop3; )
01997 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio DXF file invalid memory allocation exploit attempt"; flow:to_client,established; flowbits:isset,file.dxf; file_data; content:"HATCH|0D 0A|",nocase; pcre:!"/^\s*[1-9][0-9]*\x0d\x0a/R"; metadata:policy balanced-ips drop,policy security-ips alert,service http,service imap,service pop3; reference:cve,2008-1090; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-019; classtype:attempted-user; sid:13665; rev:12; service:http; service:imap; service:pop3; )
01998 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office eps filters memory corruption attempt"; flow:to_client,established; flowbits:isset,file.eps; file_data; content:"%!PS-Adobe-EPSF-3.0"; content:"|C5 D0 D3 C6|",depth 4; byte_test:2,>,32767,24,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,30595; reference:cve,2006-1317; reference:cve,2008-3019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-044; classtype:attempted-user; sid:13970; rev:14; service:http; service:imap; service:pop3; )
02000 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher Adobe Font Driver code execution attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"|E0 98 FF FF FF E1 FF 5F FF E2 DF E0 DE 71 DE 9E DE 71 DC 83|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3956; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-091; classtype:attempted-user; sid:18233; rev:9; service:http; service:imap; service:pop3; )
02001 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office thumbnail bitmap invalid biClrUsed attempt"; flow:to_client,established; file_data; content:"|C0 9C 83 4A FF F8 CE 11 A0 6B 00 AA 00 A7 11 91 30 00 00 00|"; content:"T|00|h|00|u|00|m|00|b|00|n|00|a|00|i|00|l|00 00 00 41 00 00 00|",distance 0; content:"|28 00 00 00|",within 4,distance 4; pcre:"/^(?=.{10}[\x01\x04\x08\x16\x24\x32]\x00)(.{3}[\x55-\xFF]|.{31}[\x80-\xFF])/sR"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3970; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-006; classtype:attempted-user; sid:18398; rev:9; service:http; service:imap; service:pop3; )
02006 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Publisher 2007 file format arbitrary code execution attempt"; flow:to_client,established; file_data; content:"R|00 12 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 13 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0566; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-030; classtype:attempted-user; sid:15681; rev:8; service:http; service:imap; service:pop3; )
02007 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel 2007 invalid comments.xml uninitialized pointer access attempt 2"; flow:to_client,established; file_data; content:"|87 0C 14 B9 C6 B7 BD BB 1A|x?|9F EE 0A|P|1C D1 B5|8xG|06 BE 88 E1|X|DF DE|AAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16468; rev:8; service:http; service:imap; service:pop3; )
02008 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel 2007 invalid comments.xml uninitialized pointer access attempt 1"; flow:to_client,established; file_data; content:"Zsk|C9 23 EF E2|@A|3A 97 98|<f|81 E9 AA|yH|84 1D|[|A2 EC|{|FD 5C 14|AAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0263; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:16467; rev:8; service:http; service:imap; service:pop3; )
02009 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Access ACCWIZ library release after free attempt - 2"; flow:to_client,established; file_data; content:"CLASSID|3D 22|CLSID|3A|53230327-172B-11D0-AD40-00A0C90DC8D9|22| data|3D|",nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1881; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-044; classtype:attempted-user; sid:17039; rev:8; service:http; service:imap; service:pop3; )
02010 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt"; flow:to_client,established; file_data; content:"|41 3F 80 14 00 00 00 1F 00 1F 00 00 00 1F 00 1F 00 20 00 20 00 00 00 00 05 B8 80 80 FF FF FF 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-3945; reference:cve,2012-2524; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-057; classtype:attempted-user; sid:18200; rev:10; service:http; service:imap; service:pop3; )
02011 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word Converter XST structure buffer overflow attempt"; flow:to_client,established; file_data; content:"|00 00 0D 10 00 00 0F 84 D0 02 11 84 98 FE 5E 84 D0 02 60 84 98 FE 6F 28 00 87 68 00 00 00 00 88 48 00 00 1F 05|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-4841; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-010; classtype:attempted-user; sid:17405; rev:8; service:http; service:imap; service:pop3; )
02016 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Outlook SMB attach by reference code execution attempt"; flow:to_client,established; file_data; content:"file://c:|5C|windows|5C|system32|5C|calc.exe?oooo.dat"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,41446; reference:cve,2010-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-045; classtype:attempted-user; sid:19405; rev:7; service:http; service:imap; service:pop3; )
02017 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Outlook arbitrary command line attempt"; flow:to_client,established; file_data; content:"mailto|3A|",nocase; content:"|2F|importprf",distance 0,nocase; pcre:"/\x3c[^\x3e]+[\x22\x27]mailto\x3a[^\x3e]+\x3f[^\x3e]*\x2fimportprf/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-0110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-015; classtype:misc-attack; sid:13573; rev:14; service:http; service:imap; service:pop3; )
02018 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office WordPad and Office Text Converters XST parsing buffer overflow attempt"; flow:to_client,established; file_data; content:"|01 00 90|hNIr|8F 1E 23 FF 0F FF 0F FF 0F FF 0F FF 0F FF 0F FF 0F FF 0F FF 0F 00 00 01 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0D 10 00 00 0F 84|h|01 11 84 98 FE|^|84|h|01|`|84 98 FE|o|28 00 87|h|00 00 00 00 88|H|00 00|BB"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-4841; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-010; classtype:attempted-user; sid:15455; rev:6; service:http; service:imap; service:pop3; )
02019 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office WordPad WordPerfect 6.x converter buffer overflow attempt"; flow:to_client,established; file_data; content:"|1E 00 00 00 10 00 00 00|Nullcode.com.ar|00 03 00 00 00 01 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-010; classtype:attempted-user; sid:15466; rev:7; service:http; service:imap; service:pop3; )
02020 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|4E 08 7D EB|",distance 0; content:"|43 6F 62 6A|",distance 0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21896; rev:2; service:http; service:imap; service:pop3; )
02021 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|8B 8D DA 58|",distance 0; content:"|43 6F 62 6A|",distance 0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21897; rev:2; service:http; service:imap; service:pop3; )
02022 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|00 36 D8 F4|",distance 0; content:"|43 6F 62 6A|",distance 0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21898; rev:2; service:http; service:imap; service:pop3; )
02023 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|B1 3C C1 6A|",distance 0; content:"|43 6F 62 6A|",distance 0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21899; rev:2; service:http; service:imap; service:pop3; )
02024 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|8E 7E E1 E6|",distance 0; content:"|43 6F 62 6A|",distance 0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21900; rev:2; service:http; service:imap; service:pop3; )
02025 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|21 43 34 12|"; content:"|A3 E8 13 07|",distance 0; content:"|43 6F 62 6A|",distance 0; byte_test:4,>,8,4,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21901; rev:2; service:http; service:imap; service:pop3; )
02026 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows WordPad sprmTSetBrc SPRM overflow attempt"; flow:to_client,established; flowbits:isset,file.doc&file.ole; file_data; content:"|08 D6|"; byte_extract:1,2,NumberOfColumns,relative,little; content:"|20 D6 0B|",distance 0; byte_extract:1,0,itcFirst,relative,little; byte_test:1,>,itcFirst,0,relative,little; byte_test:1,>,NumberOfColumns,0,relative,little; metadata:policy balanced-ips alert,policy security-ips alert,service http,service imap,service pop3; reference:bugtraq,43122; reference:cve,2009-3302; reference:cve,2010-2563; reference:url,osvdb.org/show/osvdb/67983; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-067; classtype:attempted-user; sid:17250; rev:10; service:http; service:imap; service:pop3; )
02027 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 00 00 51 10 1D 00 01 02 00 00 00 00 15 00 3B FF FF 00 00 00 00 00 00 01 00 13 00 13 00 01 00 01 00 00 02 51 10 1D 00 02 02 00 00 00 00 15|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:21942; rev:1; service:http; service:imap; service:pop3; )
02028 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|10 08 00 00 01 00 00 00 00 00 00 51 10 13 00 01 02 00 00 00 00 0B 00 3B 01 00 02 00 02 00 00 00 02 00 51 10 13 00 02 02 00 00 00 00 0B 00 3B 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-017; classtype:attempted-user; sid:21943; rev:1; service:http; service:imap; service:pop3; )
02029 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE OpenOffice OLE file stream buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"W|00|o|00|r|00|d|00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|",nocase; byte_test:4,>,0x80000000,96,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,28819; reference:cve,2008-0320; classtype:attempted-user; sid:17315; rev:8; service:http; service:imap; service:pop3; )
02030 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B5 00|"; content:!"|00 00|",within 2; byte_test:2,>,0x7fff,2,little,relative; byte_test:2,>=,0,4,little,relative; byte_test:2,<=,1,4,little,relative; byte_test:2,>=,0,8,little,relative; byte_test:2,<=,0x7ef4,8,little,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0184; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-030; classtype:attempted-user; sid:22091; rev:3; service:http; service:imap; service:pop3; )
02031 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|B5 00|"; content:!"|00 00|",within 2; byte_test:2,>,0x7fff,2,little,relative; byte_test:2,>=,0,4,little,relative; byte_test:2,<=,1,4,little,relative; content:"|FF 7F|",within 2,distance 8; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0184; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-030; classtype:attempted-user; sid:23009; rev:2; service:http; service:imap; service:pop3; )
02032 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel FNGROUPNAME record memory corruption attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|98 08 09 00 FF FF 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38553; reference:cve,2010-0262; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-017; classtype:attempted-user; sid:23010; rev:2; service:http; service:imap; service:pop3; )
02033 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Outlook arbitrary command line attempt"; flow:to_client,established; file_data; content:"mailto|3A|",nocase; content:"|2F|altvba",distance 0,nocase; pcre:"/\x3c[^\x3e]+[\x22\x27]mailto\x3a[^\x3e]+\x3f[^\x3e]*\x2faltvba/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-0110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-015; classtype:misc-attack; sid:23211; rev:1; service:http; service:imap; service:pop3; )
02053 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office EMF image EMFPlusPointF record memory corruption attempt"; flow:to_client,established; file_data; content:"|02 04 ED 9F F3 EE 77 BA A1 09 E7 97 42 49 07 A4 39 2E FF 00 D8 05 00 00 01 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0167; classtype:attempted-user; sid:23989; rev:1; service:http; service:imap; service:pop3; )
02055 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works 4.x converter font name buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.works; file_data; content:"Times|20|New|20|Roman|20|Cyr|03 10 FF 41 41 41 41 41 41 41 41 41 41 41 41|"; content:"|41 41 41 41 28 AE 12 00 41 41 41 41 58 17 DD 77|",within 16,distance 112; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-1533; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-024; classtype:attempted-user; sid:18616; rev:7; service:http; service:imap; service:pop3; )
02056 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works 4.x converter font name buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.works; file_data; content:"|00 00 00 00 A2 04 00 00 00 00 4E 03 00 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 10 FF 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-1533; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-024; classtype:attempted-user; sid:18615; rev:8; service:http; service:imap; service:pop3; )
02057 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works file converter file section length headers memory corruption attempt"; flow:to_client,established; flowbits:isset,file.works; file_data; content:"STSH"; byte_test:2,>,32768,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,27657; reference:cve,2007-0216; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-011; classtype:attempted-user; sid:13466; rev:12; service:http; service:imap; service:pop3; )
02058 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works 4.x converter font name buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.works; file_data; content:"Timesffffffffff|01 10 12|fffff ffffffffffff|02 00 FF|fffff fffffffffffff|03 10 15|fffffffffffffffffffff|04 10 13|fffffffffffffffffffffffffffffffffffffffffffff|29 06 10 18|ffffffffffffffffffffffff|07 10 16|ffffffffffffffffffffff|08 10 1C|ffffffffffffffffffffffffffff|00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-1533; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-024; classtype:attempted-user; sid:15526; rev:10; service:http; service:imap; service:pop3; )
02060 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works 9 use-after-free attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:" = |22|BLAAAAAH|22| |22|, blah blah |13| IF |13| MERGEFIELD"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2550; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-065; classtype:attempted-user; sid:24351; rev:1; service:http; service:imap; service:pop3; )
02062 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word RTF malformed listid attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|listtable{"; content:"|5C|listid2147483647}"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2528; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-064; classtype:attempted-user; sid:24353; rev:3; service:http; service:imap; service:pop3; )
02064 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rgfc value overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|47 16 00 00 4A 16 00 00 B2 0C 00 40 51 16 00 00 55 16 00 00 59 16 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0182; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-064; classtype:attempted-user; sid:24357; rev:1; service:http; service:imap; service:pop3; )
02066 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rich text format invalid field size memory corruption attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpcallout",nocase; content:"|5C|dppolycount",within 50,nocase; byte_test:5,>,50,0,string,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1902; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:17123; rev:11; service:http; service:imap; service:pop3; )
02067 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 1"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|datafield |5C|emfblip"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:17120; rev:11; service:http; service:imap; service:pop3; )
02068 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 2"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|datafield |5C|pngblip"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:17121; rev:11; service:http; service:imap; service:pop3; )
02069 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 3"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|datafield |5C|jpegblip"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:17122; rev:10; service:http; service:imap; service:pop3; )
02070 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office RTF malformed pfragments field"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"pFragments",nocase; content:"{|5C|sv",within 15,nocase; pcre:"/[^\x3b\x7d]*\x3b[^\x3b\x7d]*\x3b.{8}/smiR"; byte_test:4,>,4,0,relative,little, string, hex; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18680; rev:12; service:http; service:imap; service:pop3; )
02071 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office RTF malformed second pfragments field"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"pFragments",nocase; content:"{|5C|sv",within 15,nocase; pcre:"/^[^\x3B\x7D]{0,10}\x3B[^\x3B\x7D]{64}/smiR"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:18706; rev:12; service:http; service:imap; service:pop3; )
02072 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word .rtf file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dppolycount",nocase; byte_test:5,>,8186,0,relative,string,dec; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-4025; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:misc-attack; sid:15106; rev:12; service:http; service:imap; service:pop3; )
02077 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word RTF parsing memory corruption"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpline |5C|dpline |5C|dpline |5C|dpline"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,29104; reference:cve,2008-1091; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-026; classtype:attempted-user; sid:17743; rev:12; service:http; service:imap; service:pop3; )
02078 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rtf malformed dpcallout buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|dpcallout"; pcre:"/\x5cdpcallout\s*\x5cdpcallout\s*\x5cdpcallout/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-4028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-072; classtype:attempted-user; sid:15082; rev:11; service:http; service:imap; service:pop3; )
02079 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"4E087DEB",distance 0,nocase; content:"436F626A",distance 0,nocase; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21902; rev:6; service:http; service:imap; service:pop3; )
02080 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"8B8DDA58",distance 0,nocase; content:"436F626A",distance 0,nocase; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21903; rev:6; service:http; service:imap; service:pop3; )
02081 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"0036D8F4",distance 0,nocase; content:"436F626A",distance 0,nocase; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21904; rev:6; service:http; service:imap; service:pop3; )
02082 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"B13CC16A",distance 0,nocase; content:"436F626A",distance 0,nocase; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21905; rev:6; service:http; service:imap; service:pop3; )
02083 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"8E7EE1E6",distance 0,nocase; content:"436F626A",distance 0,nocase; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21906; rev:6; service:http; service:imap; service:pop3; )
02084 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office rtf document generic exploit indicator"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"%USERPROFILE%|5C|"; pcre:"/\x25USERPROFILE\x25\x5C[^\x2e]{1,255}\x2eexe/"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:21907; rev:4; service:http; service:imap; service:pop3; )
02085 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"A3E81207",distance 0,nocase; content:"436F626A",distance 0,nocase; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21937; rev:5; service:http; service:imap; service:pop3; )
02086 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"D0CF11E0"; content:"436F626A",distance 0,nocase; byte_test:8,=,0x64000000,0,relative,little,string,hex; byte_test:8,>,0x08000000,8,relative,little,string,hex; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:23305; rev:4; service:http; service:imap; service:pop3; )
02087 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE OpenOffice RTF File parsing heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"rtf",nocase; content:"|5C|prtdata",distance 0,nocase; isdataat:200,relative; content:!"|0A|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,24450; reference:cve,2007-0245; classtype:attempted-user; sid:17403; rev:9; service:http; service:imap; service:pop3; )
02088 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Works Word document use after free attempt"; flow:to_client,established; flowbits:set,file.doc; file_data; content:"|00 FF 00 00 00 13 3B 74 FF 13 3B 74 FF 95 C0 95 8C 13 3B 74 FF 95 80 13 3B 74 FF 95 80 0F 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2550; classtype:attempted-user; sid:24587; rev:1; service:http; service:imap; service:pop3; )
02092 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|listoverride"; content:"|5C|listoverridecount"; content:!"|5C|listoverridecount0"; content:!"|5C|listoverridecount1"; content:!"|5C|listoverridecount9"; content:!"|5C|listoverridecount|00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2539; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-079; classtype:attempted-user; sid:24974; rev:3; service:http; service:imap; service:pop3; )
02094 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|1C 1D 13 08 48 00 13 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 02 00 00 00 11 6D 79 63 6F|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:25293; rev:1; service:http; service:imap; service:pop3; )
02095 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|06 04 00 00 A7 00 04 00 B0 0F 0C 00 3C 00 50 01 77 8D A4 06 30 00 00 00 00 00 00 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0101; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-user; sid:25294; rev:1; service:http; service:imap; service:pop3; )
02099 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office RTF malformed pfragments field"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"pfragments|00 CC 7D 7B 7B 5C 2A 5C 2A 7D 5C 73 76 7B 7D 7B 5C 69 6E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,44652; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:25393; rev:1; service:http; service:imap; service:pop3; )
02104 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft OLE automation string manipulation overflow attempt"; flow:to_client,established; file_data; content:"|2E|substringData"; pcre:"/\x2esubstringData\s*\x28[^\x2c]*\x2c\s*0x7(f|F){6}[6-9AaBbCcDdEeFf]/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,25282; reference:cve,2007-2224; classtype:attempted-user; sid:17421; rev:3; service:http; )
02106 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office OneNote 2010 buffer overread info disclosure attempt"; flow:to_client,established; file_data; content:"|E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3|",depth 16; content:"|09 34 00 20 5B 34 00 1C|"; byte_test:2,>,499,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-025; classtype:attempted-recon; sid:26170; rev:1; service:http; service:imap; service:pop3; )
02115 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio XML parameter entity reference local file disclosure attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"<!ENTITY",nocase; content:"SYSTEM",within 25,nocase; content:"file:///",within 25,fast_pattern,nocase; content:"<!ENTITY",distance 0,nocase; content:"SYSTEM",within 25,nocase; content:"http://",within 25,nocase; pcre:"/<\x21ENTITY\s+?\x25\s+?(?P<local>[^\s]+?)\s+?SYSTEM\s+?[\x22\x27]\s*?file:\x2f\x2f\x2f.*?[\x22\x27]\s*?<\x21ENTITY\s+?(\x25|%\x3b)[^>]+?SYSTEM\s+?[\x22\x27]\s*?http:\x2f\x2f[^>]+?\x25(?P=local)\x3b/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-1301; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-044; classtype:attempted-recon; sid:26626; rev:1; service:http; )
02116 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Visio SVG external entity local file disclosure attempt"; flow:to_client,established; flowbits:isset,file.svg; file_data; content:"<!DOCTYPE",nocase; content:"svg",within 25,nocase; content:"<!ENTITY",within 25,nocase; content:"SYSTEM",within 25,nocase; content:"http://",within 25,nocase; pcre:"/<\x21DOCTYPE\s+?svg\s+?\[\s*?<\x21ENTITY\s+?\x25\s+?(?P<remote>[^\s]+?)\s+?SYSTEM\s+?[\x22\x27]\s*?http:\x2f\x2f[^\x5d]+?\x25(?P=remote)\x3b/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1301; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-044; classtype:attempted-recon; sid:26627; rev:1; service:http; service:imap; service:pop3; )
02119 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office Word TextBox sub-document memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc&file.ole; file_data; content:"|42 75 66 66 65 72 20 6F 76 65 72 66 6C 6F 77|"; content:"|09 04 16 00 35 0E 00 00 CE 90 01 00 CE 90 01 00 10 00 00 00|"; content:"|00 00 00 00 00 00 00 00 FF FF 0F 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,23380; reference:cve,2007-1910; reference:url,osvdb.org/show/osvdb/37633; classtype:attempted-user; sid:26672; rev:1; service:http; service:imap; service:pop3; )
02124 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 2E 00 00 00 7F 00 80 00 80 00 04 41 64 00 00 00 05 C1 16 00 00 00 06 01 01 00 00 00 31|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:26707; rev:1; service:http; service:imap; service:pop3; )
02125 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint Viewer memory allocation code execution attempt"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|43 00 0B F0 2E 00 00 00 7F 00 80 00 80 00 04 41 0A 00 00 00 05 C1 16 00 00 00 06 01 01 00 00 00 31|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,30552; reference:cve,2008-0120; classtype:attempted-user; sid:26708; rev:1; service:http; service:imap; service:pop3; )
02128 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Excel malformed ftCMO record remote code execution attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|09 08 10 00 00 06 10 00|"; content:"|15 00 12 00 08 00|",distance 0,fast_pattern; content:"|5D 00|",within 2,distance -10; byte_test:2,>,0,0,little,relative; content:!"|EC 00|",within 2049,distance -2049; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0100; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-009; classtype:attempted-user; sid:26711; rev:1; service:http; service:imap; service:pop3; )
02129 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control access"; flow:to_client,established; file_data; content:"MSComctlLib.Toolbar.2"; flowbits:set,mscomctl.toolbar; flowbits:noalert; metadata:policy balanced-ips alert,policy security-ips alert,service http,service imap,service pop3; classtype:misc-activity; sid:26830; rev:2; service:http; service:imap; service:pop3; )
02131 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control exploit attempt"; flow:to_client,established; flowbits:isset,file.rtf|file.ole; flowbits:isset,mscomctl.toolbar; file_data; content:"CKBJCKBJCKBJCKBJCKBJCKBJCKBJCKBJ"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,blog.malwaretracker.com/2013/06/tomato-garden-campaign-possible.html; classtype:attempted-user; sid:26832; rev:1; service:http; service:imap; service:pop3; )
02133 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office eps filters memory corruption attempt"; flow:to_client,established; flowbits:isset,file.eps; file_data; content:"%!PS-Adobe-3.1 EPSF-3.0"; content:"|C5 D0 D3 C6|",depth 4; byte_test:4,>,65535,24,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,30595; reference:cve,2006-1317; reference:cve,2008-3019; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-044; classtype:attempted-user; sid:27089; rev:1; service:http; service:imap; service:pop3; )
02135 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint schemes record buffer overflow"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|B2 B2 B2 B2 B2 B2 01 80 2C 01 5F 16 05 00 FF 7F 00 00 FF 00 00 00 00 00 41 41 41 41 41 41 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0226; classtype:attempted-user; sid:27215; rev:1; service:http; service:imap; service:pop3; )
02136 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office PowerPoint printer record buffer overflow"; flow:to_client,established; flowbits:isset,file.ppt; file_data; content:"|4E 6F 6E 65 00 44 72 69 76 65 72 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0227; classtype:attempted-user; sid:27216; rev:1; service:http; service:imap; service:pop3; )
02137 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows download of .lnk file that executes cmd.exe detected"; flow:to_client,established; flowbits:isset,file.lnk; file_data; content:"WINDOWS|5C|system32|5C|cmd|2E|exe"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,15069; reference:cve,2005-2122; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-049; classtype:attempted-user; sid:17442; rev:7; service:http; service:imap; service:pop3; )
02138 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Visual Studio VAP file handling buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.vap; file_data; content:"|22|projectname|22| = |22|",nocase; content:!"|22|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-1043; reference:url,www.securityfocus.com/bid/16953; classtype:attempted-user; sid:22032; rev:2; service:http; service:imap; service:pop3; )
02139 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER OpenType Font file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"OTTO",depth 4; content:"cmap",within 200; content:"head",within 200; byte_test:4,>=,0x80000000,4,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2741; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-078; classtype:attempted-user; sid:23152; rev:2; service:http; service:imap; service:pop3; )
02140 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER OpenType Font file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"OTTO",depth 4; content:"cmap",within 200; content:"head",within 200; byte_test:4,>=,0x80000000,8,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2741; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-078; classtype:attempted-user; sid:23153; rev:2; service:http; service:imap; service:pop3; )
02141 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER OpenType Font file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"OTTO",depth 4; content:"cmap",within 200; content:"name",within 200; byte_test:4,>=,0x80000000,4,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2741; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-078; classtype:attempted-user; sid:23154; rev:2; service:http; service:imap; service:pop3; )
02142 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER OpenType Font file integer overflow attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"OTTO",depth 4; content:"cmap",within 200; content:"name",within 200; byte_test:4,>=,0x80000000,8,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2741; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-078; classtype:attempted-user; sid:23155; rev:2; service:http; service:imap; service:pop3; )
02143 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ELF multiple antivirus evasion attempts"; flow:to_client,established; file_data; content:"|7F|ELF",depth 4; content:"ustar",depth 5,offset 257; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1429; classtype:attempted-user; sid:23318; rev:2; service:http; service:imap; service:pop3; )
02144 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; file_data; content:"|7F|ELF",depth 4; content:"ustar",depth 5,offset 257; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1420; classtype:attempted-user; sid:23323; rev:2; service:http; service:imap; service:pop3; )
02145 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.tar; file_data; content:"|19 04 00 10|",depth 4,offset 8; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1424; classtype:attempted-user; sid:23326; rev:1; service:http; service:imap; service:pop3; )
02146 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; file_data; content:"ITSF",depth 4; content:"ustar",depth 5,offset 257; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1422; classtype:attempted-user; sid:23328; rev:2; service:http; service:imap; service:pop3; )
02147 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; file_data; content:"MSCF",depth 4; content:"ustar",depth 5,offset 257; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1421; classtype:attempted-user; sid:23329; rev:2; service:http; service:imap; service:pop3; )
02148 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER TAR multiple antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.tar; file_data; content:"[aliases]",depth 9,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1419; classtype:attempted-user; sid:23351; rev:1; service:http; service:imap; service:pop3; )
02149 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ELF multiple antivirus evasion attempts"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"|19 04 00 10|",depth 4,offset 8; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1430; classtype:attempted-user; sid:23357; rev:1; service:http; service:imap; service:pop3; )
02152 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|FF FF FF FF FF FF FF 00 00|rcsL"; isdataat:484,relative; content:"|00 00 00 80 00 00 F0 41 41 41 41 41 41 AB 41 05 43 01 57 17|",within 20,distance 484; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:17807; rev:8; service:http; service:imap; service:pop3; )
02153 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|FF FF 00 00|rcsL"; isdataat:192,relative; content:"|01 02 4C 00 00 00 00 80 00 00 F0 FF F0 02 67 25 A2 01 33 41|",within 20,distance 192; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:17806; rev:8; service:http; service:imap; service:pop3; )
02154 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file file Shockwave 3D overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"Shockwave 3D"; content:"XFIR",nocase; content:"tSAC",distance 0,nocase; byte_test:2,>,32767,40,relative; content:"shockwave3d",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2866; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:23371; rev:3; service:http; service:imap; service:pop3; )
02155 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave tSAC pointer overwrite attempt"; flow:to_client,established; flowbits:isset, file.dir; file_data; content:"tSAC<|04 00 00 00 04 00 00 04|2|0B 00 00 01 00 00 00 14 0C 0C 0C 0C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3464; reference:url,www.adobe.com/support/security/bulletins/apsb09-16.html; classtype:attempted-user; sid:16223; rev:9; service:http; service:imap; service:pop3; )
02156 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave director file malformed lcsr block memory corruption attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"p|00 00 00 01 00 00 00 A8 FF FB|m|10|http|3A|//www."; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3466; reference:url,www.adobe.com/support/security/bulletins/apsb09-16.html; classtype:attempted-user; sid:16220; rev:9; service:http; service:imap; service:pop3; )
02157 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file LsCM overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"LsCM"; byte_test:4,>,4211081214,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2864; classtype:attempted-user; sid:17200; rev:7; service:http; service:imap; service:pop3; )
02158 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file LsCM record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"LsCM|3A 00 00 00 00 00 00 0C 00 00 00 01 00 04 00 00 40 05 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2864; classtype:attempted-user; sid:17181; rev:6; service:http; service:imap; service:pop3; )
02159 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file LsCM record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"LsCM|3A 00 00 00 00 00 00 0C 00 00 40 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2864; classtype:attempted-user; sid:17180; rev:6; service:http; service:imap; service:pop3; )
02160 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file file Shockwave 3D overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"Shockwave 3D"; content:"XFIR",nocase; content:"tSAC",distance 0,nocase; byte_test:2,>,32767,36,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2866; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:17202; rev:9; service:http; service:imap; service:pop3; )
02161 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file file rcsL overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"rcsL"; byte_test:1,>,127,76,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2867; classtype:attempted-user; sid:17203; rev:7; service:http; service:imap; service:pop3; )
02162 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file rcsL record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|52 02 4C 00 61 46 43 01 57 C9 41 01 06 52 43 4C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17189; rev:6; service:http; service:imap; service:pop3; )
02163 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file rcsL record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"rcsL|0E 05 00 00 00 00 00 00 00 00 00 00 00 00 05 0E|"; content:"|0A 08 19 1E 1C 1E 1F 1E 44 00 43 01 57 6E A1 9C|",within 16,distance 512; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17188; rev:6; service:http; service:imap; service:pop3; )
02164 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file rcsL record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|8F 41 01 45 C2 AE 00 FF 45 B0 41 24 43 46 1F 42|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17187; rev:6; service:http; service:imap; service:pop3; )
02165 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file rcsL record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"rcsL|0E 05 00 00 00 00 00 00 00 00 00 00|"; content:"|01 17 00 C0 FF FF 00 00 00 C1 00 00 01 84 00 00|",within 16,distance 84; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17186; rev:6; service:http; service:imap; service:pop3; )
02166 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file rcsL record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"rcsL|0E 05 00 00 00 00 00 00 00 00 00 00 00 00 05 0E 00 00 05 0E 00 5C 00 40|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17185; rev:6; service:http; service:imap; service:pop3; )
02167 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file tSAC record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"tSAC|B7 00 00 00 00 00 00 01 00 00 00 8F|"; content:"|00 00 00 00 00 00 00 00 00 06 00 00 00 45 00 00|",within 16,distance 28; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17184; rev:6; service:http; service:imap; service:pop3; )
02168 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file tSAC record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"tSAC|B7 00 00 00 00 00 00 01 00 00 00 8F|"; content:"|00 16 00 00 00 00 00 00 00 00 00 00 00 45 00 00|",within 16,distance 24; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17183; rev:6; service:http; service:imap; service:pop3; )
02169 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file tSAC record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"tSAC|B7 00 00 00 00 00 00 01 00 00 00 8F|"; content:"|00 00 00 00 00 16 00 00 00 00 00 00 00 3F 00 00|",within 16,distance 20; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17182; rev:6; service:http; service:imap; service:pop3; )
02170 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file pamm record exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"pamm"; byte_test:4,>,4294967118,20,relative; content:!"|FF FF FF FF|",within 4,distance 20; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2868; reference:cve,2010-2869; classtype:attempted-user; sid:17179; rev:6; service:http; service:imap; service:pop3; )
02171 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file mmap overflow attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"RIFX",depth 4; content:"mmap"; byte_test:4,>,32768,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2870; classtype:attempted-user; sid:17204; rev:8; service:http; service:imap; service:pop3; )
02172 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk memory corruption attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"rcsL"; isdataat:203,relative; content:"|FF F0 02 67|",within 4,distance 203; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,42682; reference:cve,2010-2873; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:17803; rev:8; service:http; service:imap; service:pop3; )
02173 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave Flash memory corruption attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|FF FF FF FF 01 1F 02|H|00 00 00|6|00 00 FF FF 01 1F 1F EE|"; content:!"|FF FF FF FF|",within 4,distance -24; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3463; classtype:attempted-user; sid:16293; rev:5; service:http; service:imap; service:pop3; )
02174 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"EyeL|04 00 00 00 01 00 00 00 42 00 00 00 70 00 00 00 99 00 00 00 56 55 55 15|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2871; classtype:attempted-user; sid:17190; rev:9; service:http; service:imap; service:pop3; )
02175 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"39VMpami|18 00 00 00 01 41 41 41 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2872; classtype:attempted-user; sid:17191; rev:9; service:http; service:imap; service:pop3; )
02176 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|00 23 6F 98 00 00 00 00 00 00 00 62 00 00 00 01 00 0F FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2873; classtype:attempted-user; sid:17192; rev:9; service:http; service:imap; service:pop3; )
02177 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director remote code execution attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"muhT|9B 00 00 00 00 04 00 00|FCRD|A8 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2874; classtype:attempted-user; sid:17193; rev:9; service:http; service:imap; service:pop3; )
02178 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file tSAC tag exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|FF FF 00 00|shockwave3d|00 00 01|P3DPR|00 00 01|P|00 00 00 06 00 00 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,42668; reference:cve,2010-2875; reference:url,www.adobe.com/support/security/bulletins/apsb10-20.html; classtype:attempted-user; sid:17194; rev:9; service:http; service:imap; service:pop3; )
02179 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|01 36 01 00 00 00 80 80 00 00 00 15 00 00 00 03 00 00 00 27 00 00 00 24 00 00 00 02 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 06 00 01 00 00 00 0F E1 FD|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2877; classtype:attempted-user; sid:17196; rev:9; service:http; service:imap; service:pop3; )
02180 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|6D 9E 54 65 78 74 00 00 00 00 00 00 00 00 00 00 00 00 0F 00 00 01 1A 3A 36 23 16 3A 37 0C 29 47 72 65 67 20 42 61 72 6E 65 74 74 00 80 80 00 04 74 65 78 74 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2878; classtype:attempted-user; sid:17198; rev:9; service:http; service:imap; service:pop3; )
02181 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director file exploit attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|32 02 30 82 02 31 30 02 38 38 02 30 82 02 31 30 02 38 38 03 30 30 30 41 30 30 30 30 30 30 31 33 00 00 30 30 30 30 30 32 02 30 82 02 31 30 02 38|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2879; classtype:attempted-user; sid:17197; rev:9; service:http; service:imap; service:pop3; )
02182 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ELF file parsing in different antivirus evasion attempt"; flow:to_client,established; file_data; content:"|7F|ELF",depth 4; content:"|4A 46 49 46|",within 4,distance 2; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1431; reference:url,securityfocus.com/archive/1/522005; classtype:bad-unknown; sid:21629; rev:3; service:http; service:imap; service:pop3; )
02183 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ELF file parsing in different antivirus evasion attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"|19 04 00 10|",depth 4,offset 8; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1430; reference:url,securityfocus.com/archive/1/522005; classtype:bad-unknown; sid:21630; rev:2; service:http; service:imap; service:pop3; )
02184 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Java Applet Rhino script engine remote code execution attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"this.toString = function|28|",nocase; content:"java.lang.System.setSecurityManager|28|null|29|",distance 0,nocase; content:"return String.fromCharCode|28|97",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-3544; reference:url,osvdb.org/show/osvdb/76500; classtype:attempted-user; sid:21057; rev:4; service:http; service:imap; service:pop3; )
02185 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Java JRE sandbox breach attempt"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"AtomicReferenceArray"; content:"localAtomicReferenceArray = (AtomicReferenceArray)arrayofObject",distance 0,nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,52161; reference:cve,2012-0507; classtype:attempted-user; sid:21869; rev:2; service:http; service:imap; service:pop3; )
02186 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Apple OSX Finder DMG volume name memory corruption"; flow:to_client,established; flowbits:isset,file.dmg; file_data; content:"|00 00 00 00 4C 41 42 4C|"; byte_test:2,>,254,12,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2007-0197; classtype:attempted-user; sid:17363; rev:7; service:http; service:imap; service:pop3; )
02187 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows MPEG Layer-3 audio heap corruption attempt"; flow:to_client,established; flowbits:isset,file.asx; file_data; content:"|FF FA 92 60 3C 6F|"; content:"|FF FA 92 C9 B9 56|",within 6,distance 412,fast_pattern; content:"|A9 00 04 48 58 DC E1 83 4B 68 32 01 9B BC 04 A3 27 0E A5 3D 71 66 0D 2D A8 D3 84 AF 3C 14 88 94 3E 89 CA BF 80 9C|",within 38; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1882; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-052; classtype:attempted-user; sid:18463; rev:9; service:http; service:imap; service:pop3; )
02188 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows chm file malware related exploit"; flow:to_client,established; flowbits:isset,file.chm; file_data; content:"|78 07 2F 6D 79 2E 68 74 6D 01 84 A0 00 81 5C 0C 2F 73 65 72 76 69 63 65 2E 65 78 65 01 00 84 A0|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/508508b8105d7d9b5289813b385f9be233d76e09a2ad3c647e8dc5078db8eff1/analysis/; classtype:trojan-activity; sid:21489; rev:4; service:http; service:imap; service:pop3; )
02189 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows Fax Services Cover Page Editor Double Free Memory Corruption"; flow:to_client,established; flowbits:isset,file.cov; file_data; content:"|00 73 00 04 00 AD FE FF FF FE 01 00 00 2F FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,45942; reference:cve,2010-2701; classtype:attempted-admin; sid:19219; rev:7; service:http; service:imap; service:pop3; )
02190 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows embedded OpenType EOT font integer overflow attempt"; flow:to_client,established; flowbits:isset,file.eot; file_data; content:"|52 E7 0D 2C 32 3E 1D FC BE E2 B2 A1 E9 94 6A 46 57 35 B4 FD|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43775; reference:cve,2010-1883; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-076; classtype:attempted-user; sid:19308; rev:9; service:http; service:imap; service:pop3; )
02191 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows Fax Services Cover Page Editor Double Free Memory Corruption"; flow:to_client,established; flowbits:isset,file.cov; file_data; content:"|00 00 42 00 55 00 47 00 0A 00 A7 FE FF FF DA 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,45942; reference:cve,2010-2701; classtype:attempted-admin; sid:19220; rev:7; service:http; service:imap; service:pop3; )
02192 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows .NET Framework XAML browser applications stack corruption"; flow:to_client,established; flowbits:isset,file.manifest; file_data; content:"|2F 00 59 00 41 01 6B 00 61 00 41 01 6B 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,47223; reference:cve,2010-3958; classtype:attempted-user; sid:19170; rev:6; service:http; service:imap; service:pop3; )
02193 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows uniscribe fonts parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|AA FF FF FF FF 00 00 00 20 00 00 00 03 00 00 00 21 00 00 00 7E 00 00 00 04 00 00 00 A0 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43068; reference:cve,2010-2738; reference:url,osvdb.org/show/osvdb/67984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-063; classtype:attempted-user; sid:18952; rev:10; service:http; service:imap; service:pop3; )
02194 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Pagemaker Font Name Buffer Overflow attempt"; flow:to_client,established; flowbits:isset,file.pmd; file_data; content:"|61 61 61 61 61 61 61 61 61 61 61 61 0F 42 01 05 41 41 41 41 41 41 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,25989; reference:cve,2007-5169; classtype:attempted-user; sid:17735; rev:9; service:http; service:imap; service:pop3; )
02195 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Pagemaker Key Strings Stack Buffer Overflow attempt"; flow:to_client,established; flowbits:isset,file.pmd; file_data; content:"Magenta",nocase; content:"|41 41 41 41 41|",within 5,distance 241; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,31999; reference:cve,2007-6432; classtype:attempted-admin; sid:17650; rev:7; service:http; service:imap; service:pop3; )
02197 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows Server 2003 update service principal name spn dos executable attempt"; flow:to_client,established; file_data; content:"|62 00 61 00 64 00 2E 00 44 00 4E 00 53 00 65 00 6E 00 74 00 72 00 79 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-005; classtype:attempted-admin; sid:18406; rev:8; service:http; service:imap; service:pop3; )
02199 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows OpenType Fonts CompactFontFormat FontMatrix tranform memory corruption attempt"; flow:to_client,established; file_data; content:"|04 FB 61 0C 03 F1 0C 04 8C 8B 8B 8C 8B 8B 0C 07 1C F7 E9 FD|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-032; classtype:attempted-admin; sid:18644; rev:8; service:http; service:imap; service:pop3; )
02200 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows ATMFD Adobe font driver remote code execution attempt"; flow:to_client,established; file_data; content:"|64 A2 F7 60 A2 01 F7 A7 C8 03 14 E0 F7 E6 43 15 BE C9 A3 B0|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-007; classtype:attempted-user; sid:18402; rev:7; service:http; service:imap; service:pop3; )
02201 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Data Access Components library attempt"; flow:to_client,established; file_data; content:"|33 C0 66 89 45 F4 6A FD 8D 85 BC FF FE FF 50 6A FD 8D 8D D8 FF FE FF 51 6A FD 8D 95 F4 FF FE FF 52 8B 85 A4 FF FE FF 50 E8 9B FB FF FF 33 C0 52 8B CD 50 8D 15 14 15 41 00 E8 9E FB FF FF 58 5A 5F 5E 5B 8B 4D FC 33 CD E8 12 FB|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-002; classtype:attempted-user; sid:18276; rev:8; service:http; service:imap; service:pop3; )
02202 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER rich text format unexpected field type memory corruption attempt"; flow:to_client,established; file_data; content:"|4B 47 2D D7 6B CF 87 5D CF DB F3 1E FE 9F 9F 5F F4 A3 30 49 BC A4 DB 9E B3 C3 7B ED B9 C5 28 6E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:18953; rev:6; service:http; service:imap; service:pop3; )
02203 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER rich text format unexpected field type memory corruption attempt"; flow:to_client,established; file_data; content:"|CB 5D 91 76 A2 A3 23 D7 EF 15 F9 A8 E3 7A DD A5 78 21 08 0E FE 17 FF 2F 2D AD 84 49 9C 65 41 B6|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1901; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-056; classtype:attempted-user; sid:18954; rev:6; service:http; service:imap; service:pop3; )
02204 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows HLP File Handling heap overflow attempt"; flow:to_client,established; file_data; content:"|3F 5F 03 00|",depth 4; content:"TTLBTREE|00 2E 06 00 00 7C 62|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,23382; reference:cve,2007-1912; classtype:attempted-user; sid:17374; rev:4; service:http; service:imap; service:pop3; )
02205 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Project Invalid Memory Pointer Code Execution attempt"; flow:to_client,established; file_data; content:"|00 0B 00 00 00 CC E5 1A 00 41 41 41 41 00 00 00 00 03 02 01 22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,28607; reference:cve,2008-1088; classtype:attempted-user; sid:17382; rev:4; service:http; service:imap; service:pop3; )
02206 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER OpenOffice.org XPM file processing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.xpm; file_data; content:"/* XPM */",fast_pattern; content:"static char *",distance 0; pcre:"/^[^\x22]+\x22(\d+\x20+){2}/R"; byte_test:10,>,419062,0,relative,string; byte_test:10,>,10244,1,relative,string; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,38218; reference:cve,2009-2949; classtype:attempted-user; sid:18537; rev:6; service:http; service:imap; service:pop3; )
02207 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"xsl|3A|stylesheet",fast_pattern,nocase; content:"crypto|3A|rc4_",nocase; pcre:"/^(encrypt|decrypt)\x28\x27[^\x27]{129}/smiR"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,30467; reference:cve,2008-2935; classtype:attempted-user; sid:14039; rev:13; service:http; service:imap; service:pop3; )
02208 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Video Spirit visprj buffer overflow"; flow:established,to_client; flowbits:isset,file.visprj; file_data; content:"valitem",nocase; pcre:"/<\s*valitem[^>]*\s(value|name)\s*=\s*([\x22\x27])[^\x22\x27]{104}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0499; classtype:attempted-user; sid:20889; rev:5; service:http; service:imap; service:pop3; )
02209 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows Embedded Open Type Font malformed name table overflow attempt"; flow:to_client,established; flowbits:isset,file.eot; file_data; content:"|00 01 00 01 00 12 00 01 00 01 00 00 00 01 FF FF|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-0231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-029; classtype:attempted-user; sid:15693; rev:10; service:http; service:imap; service:pop3; )
02210 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft SYmbolic LinK stack overflow attempt"; flow:to_client,established; flowbits:isset,file.slk; file_data; content:"P|3B|"; pcre:"/(^P\x3B[^\x3B]*\x0D\x0A){200}/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,48161; reference:cve,2011-1276; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-045; classtype:attempted-user; sid:19911; rev:7; service:http; service:imap; service:pop3; )
02211 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ACD Systems ACDSee Products XBM file handling buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xbm; file_data; content:"|23|define"; content:"|5F|width",distance 0; pcre:"/\x23define\s*(?=[\S]{57})\S*\x5Fwidth/"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,37685; reference:url,osvdb.org/show/osvdb/63643; classtype:attempted-user; sid:17238; rev:5; service:http; service:imap; service:pop3; )
02212 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Free Download Manager .torrent parsing path overflow attempt"; flow:to_client,established; flowbits:isset,file.torrent; file_data; content:"4|3A|pathl",nocase; byte_test:6,>,10000,0,relative,dec,string; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16520; rev:8; service:http; service:imap; service:pop3; )
02213 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Free Download Manager .torrent parsing name overflow attempt"; flow:to_client,established; flowbits:isset,file.torrent; file_data; content:"4|3A|name",nocase; byte_test:6,>,10000,0,relative,dec,string; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16519; rev:8; service:http; service:imap; service:pop3; )
02214 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Free Download Manager .torrent parsing announce overflow attempt"; flow:to_client,established; flowbits:isset,file.torrent; file_data; content:"8|3A|announce",nocase; byte_test:6,>,100000,0,relative,dec,string; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16518; rev:8; service:http; service:imap; service:pop3; )
02215 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Free Download Manager .torrent parsing comment overflow attempt"; flow:to_client,established; flowbits:isset,file.torrent; file_data; content:"7|3A|comment",nocase; byte_test:6,>,100000,0,relative,dec,string; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,33555; reference:cve,2009-0184; classtype:attempted-user; sid:16517; rev:8; service:http; service:imap; service:pop3; )
02216 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Help Workshop HPJ OPTIONS section buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.hpj; file_data; content:"[OPTIONS]"; content:"HLP",distance 0,nocase; pcre:"/^\s*HLP\s*\x3d\s*[^\n]{257}/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,22135; reference:cve,2007-0427; classtype:attempted-user; sid:17366; rev:5; service:http; service:imap; service:pop3; )
02219 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Shockwave Director rcsL chunk memory corruption attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|FF FF FF FF 00 00|rcsL"; isdataat:484,relative; content:"|00 00 00 80 00 00 F0 00 6B 2B 2B 45 46 AB 41 05 43 01 57 17|",within 20,distance 484; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,44291; reference:cve,2010-3653; reference:url,www.adobe.com/support/security/advisories/apsa10-04.html; classtype:attempted-user; sid:24277; rev:1; service:http; service:imap; service:pop3; )
02224 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft LNK shortcut arbitrary dll load attempt"; flow:to_client,established; file_data; content:"|4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; content:"|20 20 EC 21 EA 3A 69 10 A2 DD 08 00 2B 30 30 9D|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2568; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-046; classtype:attempted-user; sid:17042; rev:9; service:http; service:imap; service:pop3; )
02227 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"cmap"; content:"|00 04|",distance 0; content:"|00 02|",within 2,distance 4; content:"|FF FF 00 00 00 00|",within 6,distance 6; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2897; reference:cve,2012-4786; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-078; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-075; classtype:attempted-admin; sid:24649; rev:4; service:http; service:imap; service:pop3; )
02229 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Adobe Director rcsL chunk parsing denial of service attempt"; flow:to_client,established; flowbits:isset,file.dir; file_data; content:"|2C 52 02 4C 00 4C 33 4C 02 4C 01 61|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2030; classtype:denial-of-service; sid:24702; rev:2; service:http; service:imap; service:pop3; )
02231 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Lattice PAC Designer symbol value buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"<PacDesignData>|0A|",depth 30,offset 15; content:"<SymbolicSchematicData>|0A|",distance 0; content:"<Symbol>",distance 0; content:"<Value>",distance 0; isdataat:96,relative; content:!"</Value>",within 96; metadata:policy balanced-ips drop,service http,service imap,service pop3; reference:cve,2012-2915; classtype:attempted-user; sid:25247; rev:1; service:http; service:imap; service:pop3; )
02234 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER MSXML dynamic pointer casting arbitrary code execution attempt"; flow:to_client,established; file_data; content:"//doesnotexist[position|28 29| != 3]"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0007; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-002; classtype:attempted-user; sid:25275; rev:1; service:http; )
02235 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Cisco WebEx player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.wrf; file_data; content:"|FF 7F 25 00 88 03 8C 02 CC 7C 01 00 00 00 00 00 FD 7E 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-4004; classtype:attempted-user; sid:25341; rev:1; service:http; service:imap; service:pop3; )
02236 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Csound hetro audio file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.csd; file_data; content:"|81 C4 54 F2 FF FF|"; content:"|46 54 95 6E|"; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-0270; classtype:attempted-user; sid:25607; rev:1; service:http; service:imap; service:pop3; )
02239 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft EMF+ GpFont.SetData buffer overflow attempt"; flow:to_client,established; file_data; content:"|01 00 00 00|"; content:" EMF",within 4,distance 36; byte_jump:4,-40,relative,little; content:"F|00 00 00|,|00 00 00| |00 00 00|",within 12,distance -8; content:"F|00 00 00|",distance 0; content:"|08|@|00 06|",within 4,distance 12; byte_test:4,>,4261412864,28,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,34250; reference:cve,2009-1217; classtype:attempted-user; sid:15430; rev:5; service:http; )
02243 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Known malicious jar archive download attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"ImAlpha$MyColorSpace.classPK"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,58238; reference:cve,2013-1493; classtype:attempted-admin; sid:26030; rev:1; service:http; )
02244 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER RealNetworks RealPlayer SWF frame handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|E5 05 00 00 78 00 05 5F 00 00 0F A0 00 00 0C 01 00 43 02 FF FF FF BF 00 39 00 00 00 01 00 70 F2|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,30370; reference:cve,2007-5400; classtype:attempted-user; sid:17633; rev:8; service:http; service:imap; service:pop3; )
02246 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Wireshark DECT packet dissector overflow attempt"; flow:to_client,established; file_data; content:"|D4 C3 B2 A1 02 00 04 00|",depth 8; byte_test:4,>,1499,36,little; content:"|FF FF FF FF FF FF 00 00 00 00 00 00 23 23|",depth 14,offset 40,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,47392; reference:cve,2011-1591; reference:url,osvdb.org/show/osvdb/71848; classtype:attempted-user; sid:20431; rev:4; service:http; )
02247 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER SafeNet SoftRemote multiple policy file local overflow attempt"; flow:to_client,established; file_data; content:"|5B|HKEY_LOCAL_MACHINE|5C|SOFTWARE|5C|IRE|5C|SafeNet|2F|Soft-PK|5C|ACL|5C|GROUPDEFS|5C|_SafeNet_Default_Group|5D|"; content:"|22|GROUPNAME|22 3D 22|",distance 0; isdataat:256,relative; content:!"|22|",within 256; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-3861; reference:url,osvdb.org/show/osvdb/59724; classtype:attempted-user; sid:16732; rev:3; service:http; )
02248 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Orbital Viewer .orb stack buffer overflow attempt"; flow:to_client,established; file_data; content:"OrbitalFileV1.0|0D 0A|",nocase; pcre:"/^[^\x00]{512}/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38436; reference:cve,2010-0688; classtype:attempted-user; sid:16721; rev:5; service:http; )
02249 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER VariCAD multiple products DWB file handling overflow attempt"; flow:to_client,established; file_data; content:"|34 87 01 00 00 00 00 00 25 5C 1F 85|",depth 12; pcre:"/^[^\x0a\x3d]{512}/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,38815; reference:url,osvdb.org/show/osvdb/63067; classtype:attempted-user; sid:16736; rev:3; service:http; )
02252 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER IBM Informix Client SDK NFX file InformixServerList processing stack buffer overflow attempt"; flow:to_client,established; file_data; content:"[Setnet32]",fast_pattern,nocase; content:"ServerSize=",distance 0; byte_test:4,>,293,0,relative,dec,string; pcre:"/InformixServerList=([^\r\n\x3B]{,293}\x3B)*[^\r\n\x3B]{294}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36588; reference:cve,2009-3691; classtype:attempted-user; sid:16346; rev:3; service:http; )
02253 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER IBM Informix Client SDK NFX file HostList processing stack buffer overflow attempt"; flow:to_client,established; file_data; content:"[Setnet32]",fast_pattern,nocase; content:"HostSize=",distance 0; byte_test:4,>,296,0,relative,dec,string; pcre:"/HostList=([^\r\n\x3B]{,296}\x3B)*[^\r\n\x3B]{297}/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,36588; reference:cve,2009-3691; classtype:attempted-user; sid:16345; rev:3; service:http; )
02254 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER FeedDemon unicode OPML file handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C 00|o|00|p|00|m|00|l|00|",nocase; content:"|3C 00|o|00|u|00|t|00|l|00|i|00|n|00|e|00|",distance 0,nocase; pcre:"/[^\x3E]*?t\x00e\x00x\x00t\x00(\s\x00)*\x3D\x00(\s\x00)*(\x27\x00(?!(..){0,500}\x27\x00)|\x22\x00(?!(..){0,500}\x22\x00)|(?!(..){0,500}\s\x00))/isOR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33630; reference:cve,2009-0546; classtype:attempted-user; sid:17105; rev:2; service:http; )
02255 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER FeedDemon OPML file handling buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C|opml",nocase; content:"|3C|outline",distance 0,nocase; pcre:"/[^\x3E]*?text\s*\x3D\s*(\x27[^\x27]{500}|\x22[^\x22]{500}|\S{500})/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,33630; reference:cve,2009-0546; classtype:attempted-user; sid:17104; rev:2; service:http; )
02256 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER UltraISO CCD file handling overflow attempt"; flow:to_client,established; file_data; content:"[CloneCD]",depth 9; content:"INDEX 1=",distance 0; isdataat:256,relative; content:!"|0A|",within 256; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1260; reference:url,osvdb.org/show/osvdb/53275; classtype:attempted-user; sid:16733; rev:3; service:http; )
02257 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ProShow Gold PSH file handling overflow attempt"; flow:to_client,established; file_data; content:"Photodex|28|R|29| ProShow|28|TM|29| Show File Version",depth 41; content:"cell[0].images[0].image=",distance 0; isdataat:512,relative; content:!"|0A|",within 512; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-3214; reference:url,osvdb.org/show/osvdb/57226; classtype:attempted-user; sid:16730; rev:3; service:http; )
02258 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER IDEAL Administration IPJ file handling stack overflow attempt"; flow:to_client,established; file_data; content:"|0D 0A|[Group,Export,Yes]|0D 0A|",depth 22; content:"Computer=",distance 0; pcre:"/^[^\s\x00]{512}/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-4265; reference:url,osvdb.org/show/osvdb/60681; classtype:attempted-user; sid:16727; rev:3; service:http; )
02259 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ClamAV antivirus CHM file handling DOS"; flow:to_client,established; file_data; content:"ITSF"; content:"|11 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC|",within 16,distance 36; content:"ITSP",distance 0; byte_test:4,<,8,12,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,30994; reference:cve,2008-1389; reference:url,sourceforge.net/project/shownotes.php?group_id=86638&release_id=623661; classtype:attempted-dos; sid:17602; rev:5; service:http; )
02260 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER CA multiple product AV engine CAB header parsing stack overflow attempt"; flow:to_client,established; file_data; content:"MSCF",depth 4; byte_test:2,=,1,24,relative,little; byte_jump:4,12,relative,post_offset -20,little; pcre:"/^.{16}[^\x00]{256}/sR"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,24330; reference:cve,2007-2864; classtype:attempted-user; sid:16719; rev:3; service:http; )
02261 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ClamAV libclamav PE file handling integer overflow attempt"; flow:to_client,established; file_data; content:"|4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00|"; isdataat:288,relative; content:"|00 00 2E 70 65 74 69 74 65 00 00 D0 0D 00 00 30 FF FF A3 D1|",within 20,distance 288; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0318; classtype:attempted-user; sid:17305; rev:4; service:http; )
02262 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER ProShow Gold PSH file handling overflow attempt"; flow:to_client,established; file_data; content:"ProShow Gold - Built-In Content/Backgrounds/Abstract_02.jpgAAAAAAAAAAAAAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-3214; reference:url,osvdb.org/show/osvdb/57226; classtype:attempted-user; sid:16731; rev:4; service:http; )
02263 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows uniscribe fonts parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|00 47 3E 34 CB 58 A7 A2 F5 3F D0 B9 1B CA 20 05 7E 6D|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43068; reference:cve,2010-2738; reference:url,osvdb.org/show/osvdb/67984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-063; classtype:attempted-user; sid:26648; rev:2; service:http; service:imap; service:pop3; )
02264 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows uniscribe fonts parsing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"|00 43 FF F1 02 3B 02 D8 00 25 00 00 01 32 35 34 26 23 22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43068; reference:cve,2010-2738; reference:url,osvdb.org/show/osvdb/67984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-063; classtype:attempted-user; sid:26649; rev:2; service:http; service:imap; service:pop3; )
02265 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Microsoft Windows HLP File Handling heap overflow attempt"; flow:to_client,established; file_data; content:"|3F 5F 03 00|",depth 4; content:"TTLBTREE|00 5B 21 00 00 7C 56|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,23382; reference:cve,2007-1912; classtype:attempted-user; sid:27166; rev:1; service:http; service:imap; service:pop3; )
02268 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/Mac",fast_pattern,nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fMac\s*\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:19648; rev:9; service:http; service:imap; service:pop3; )
02269 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/Unix",fast_pattern,nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fUnix\s*\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:19647; rev:9; service:http; service:imap; service:pop3; )
02270 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/F"; content:"/DOS",fast_pattern,nocase; pcre:"/\x2fF\s*(<<|)\s*\x2fDOS\s*\x28/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:19646; rev:9; service:http; service:imap; service:pop3; )
02271 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF file with embedded PDF object"; flow:to_client,established; file_data; content:"EmbeddedFile",nocase; content:"3C7064663E",distance 0,nocase; content:"3C2F7064663E",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.adobe.com/devnet/acrobat/javascript.html; classtype:policy-violation; sid:18684; rev:7; service:http; service:imap; service:pop3; )
02272 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"obj",nocase; content:"<<",within 4; content:"/Launch",within 100,fast_pattern; content:"/F"; pcre:"/\/F[^\/>]+\.(exe|dll|swf)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:16523; rev:9; service:http; service:imap; service:pop3; )
02273 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader util.printf buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"util.printf"; pcre:"/\x28\s*\x22\s*\x25([2-9][6-9][5-9]|[1-9][0-9]{3,})f/mi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2008-2992; classtype:attempted-user; sid:15014; rev:8; service:http; service:imap; service:pop3; )
02274 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader embedded BMP colors used integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream",nocase; content:"BM",within 20; content:"|00 00 00 00|",within 4,distance 4; content:"|28 00 00 00|",within 4,distance 4; byte_test:4,>,0x1FFFFFFF,28,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-4373; reference:url,www.adobe.com/support/security/bulletins/apsb12-01.html; classtype:attempted-user; sid:20921; rev:6; service:http; service:imap; service:pop3; )
02275 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader JpxDecode invalid crgn memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"jp2c|FF 4F|"; content:"|FF 5E 00|",distance 0; pcre:"/\xff\x5e\x00(\x05[\x80-\xff]|\x06\x00[\x80-\xff]|\x06[^\x00])/"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,37757; reference:cve,2009-3955; classtype:attempted-user; sid:18801; rev:4; service:http; service:imap; service:pop3; )
02276 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader libtiff TIFFFetchShortPair stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream|0A 78 9C ED 5B 5B 6F E2 38 14 7E EF AF 88 B2 6F CB 0E E6 0E AD 0A 23 73 5B 68 9B 02 E5 DA BE 8C 4C E2 04 97 24 0E B1 D3 00 BF 7E ED 24 B4 94 99 DD 19 69 1F 56 5A 39 D2 07 E7 F6 1D 1F DB 71 9E 7C|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-3459; reference:cve,2010-0188; classtype:attempted-user; sid:17214; rev:5; service:http; service:imap; service:pop3; )
02277 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader libtiff TIFFFetchShortPair stack buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream|0A 78 9C ED 5B 49 73 E2 38 14 BE F7 AF 70 79 6E C3 34 62 87 A4 42 BA C4 36 90 C4 01 C2 9A 5C BA 84 2D 1B 07 DB 32 96 1C 03 BF 7E 24 2F 6C D3 3D 9D C3 54 4D 4D 95 5C F5 81 DE|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-3459; reference:cve,2010-0188; classtype:attempted-user; sid:17215; rev:5; service:http; service:imap; service:pop3; )
02278 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader icc mluc interger overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"mluc|00 00 00 00|"; byte_test:4,>,357913941,0,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,43729; reference:cve,2010-3622; classtype:attempted-user; sid:18308; rev:5; service:http; service:imap; service:pop3; )
02279 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader invalid PDF JavaScript extension call"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"printSeps"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-4091; reference:url,www.adobe.com/support/security/bulletins/apsb10-28.html; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-admin; sid:18102; rev:10; service:http; service:imap; service:pop3; )
02280 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader PDF subroutine pointer attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|90 90 90 E8 00 00 00 00 5B 90 66 C7 03 EB FE|"; content:"RICN"; content:"AR07",within 6; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2006-5857; classtype:attempted-user; sid:21765; rev:3; service:http; service:imap; service:pop3; )
02281 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader doc.export arbitrary file write attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:".export",nocase; pcre:"/\x2eexport(AsFDF|AsText|AsXFDF|DataObject|XFAData)\x28[^\x2c\x29]*\x2c[^\x2c\x29]*\x2c[^\x29]+\x2eexe/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2993; classtype:attempted-user; sid:16324; rev:8; service:http; service:imap; service:pop3; )
02282 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Possible malicious pdf detection - qwe123"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; content:"qwe123",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:21583; rev:6; service:http; service:imap; service:pop3; )
02283 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Possible malicious pdf - new pdf exploit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"NEW PDF EXPLOIT"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:21431; rev:6; service:http; service:imap; service:pop3; )
02284 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Possible unknown malicious PDF"; flow:to_client, established; flowbits:isset, file.pdf; file_data; content:"%PDF-1."; content:"=new Array"; pcre:"/\d+?(.)\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+\1\d+/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0188; classtype:attempted-user; sid:21429; rev:7; service:http; service:imap; service:pop3; )
02285 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF hostile PDF associated with Laik exploit kit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; content:") /CreationDate (D:20110405234628)>>"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http,service imap,service pop3; classtype:trojan-activity; sid:21417; rev:7; service:http; service:imap; service:pop3; )
02286 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe JPEG2k uninitialized QCC memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|12 12 E0 0F 12 12 E0 0F 12 12 FF|]|00 16|LL"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2994; classtype:attempted-user; sid:16325; rev:10; service:http; service:imap; service:pop3; )
02287 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader U3D rgba parsing overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|0E 01 00 00 00 01 0E 01 00 01 00 00 00 FE 00 70 6F 63 2E 72 67 62 61|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0591; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18457; rev:10; service:http; service:imap; service:pop3; )
02288 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader embedded BMP parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|42 00 00 00 28 00 00 00 AB AA AA 0A 40 00 00 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2438; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20171; rev:6; service:http; service:imap; service:pop3; )
02289 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader embedded BMP parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|12 0B 00 00 12 0B 00 00 00 01 00 00 00 01 00 00 41 41 41 41 41 41|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2438; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20170; rev:6; service:http; service:imap; service:pop3; )
02290 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader embedded BMP parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|0E 00 00 C4 0E 00 00 00 40 00 00 00 00 00 00 58 58 58 58 58|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2438; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20169; rev:6; service:http; service:imap; service:pop3; )
02291 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader embedded PICT parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"PICT"; content:"|00 01 41 41 41 01 41 41 41 01|",within 10,distance 11; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2435; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20148; rev:6; service:http; service:imap; service:pop3; )
02292 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader embedded PICT parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"PICT"; content:"|00 02 E0 80 CC CC 58 58 58 58|",within 10,distance 13; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2434; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20147; rev:6; service:http; service:imap; service:pop3; )
02293 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader embedded PICT parsing corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"PICT"; content:"|00 02 10 80 CC CC 58 58 58 58|",within 10,distance 13; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2433; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20145; rev:6; service:http; service:imap; service:pop3; )
02294 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader ICC ProfileDescriptionTag overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|CE 00 07 00 09 00 12 00 04 00 33 64 65 73 63 00 00 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2097; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19255; rev:6; service:http; service:imap; service:pop3; )
02295 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader malformed U3D texture continuation integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|5C FF FF FF 0C 00 00 00 00 00 00 00 08 00 54 65 78 74 75|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2096; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19248; rev:6; service:http; service:imap; service:pop3; )
02296 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Flash Player memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|63 2F 55 46 28 70 6F 63 2E 73 77 66 29 3E 3E 0D|"; content:"|3C 2F 43 68 65 63 6B 53 75 6D 3C 31 36 43 44 45 32 43 39 44 38 41 44 37 37 30 35 46 41 32 31 36 46 31 33 34 46 41 46 37 38 35 30 3E 2F 43 72 65|",within 48,distance 112; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/bulletins/apsb11-06.html; classtype:attempted-user; sid:19082; rev:6; service:http; service:imap; service:pop3; )
02297 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader malformed TIFF remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"jNLjwFWnTvuP9HG9OL+q916q915//n</image"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0188; reference:url,www.adobe.com/support/security/bulletins/apsb10-07.html; classtype:attempted-user; sid:18585; rev:6; service:http; service:imap; service:pop3; )
02298 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat JavaScript getIcon method buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|B3 2E 86 F7 BA C8 F4 4A 2B C7 AB 99 E8 6B 72 99 39 40 C7 59 B1 2E C9 D1 AE 0C 6E 39 A8 E5 DC 60|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,34169; reference:cve,2009-0927; classtype:attempted-user; sid:17472; rev:6; service:http; service:imap; service:pop3; )
02299 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat JavaScript getIcon method buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|55 1E 42 91 74 A1 4A FA 21 C7 DB 53 14 DE DE 9E A4 6A CD ED 29 C7 4E DE 9E BC ED 49 B3 35 11 D6|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,34169; reference:cve,2009-0927; classtype:attempted-user; sid:17471; rev:6; service:http; service:imap; service:pop3; )
02300 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF BitDefender Antivirus PDF processing memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|25 50 44 46 2D 31 2E 33 0A 25 E2 E3 CF D3 0A 33|",depth 16; content:"|3C 3C 2F 46 69 6C 74 65 72 20 5B 2F 46 6C 61 74 65 44 65 63 6F 64 65 20 2F 41 53 43 49 49 48 65 78 44 65 63 6F 64 65 5D|",within 40,distance 8; content:"|78 9C ED C2 31 0D 00 00 00 02 A0 4C 6E F6 CF 66 0D 0F 06 4D 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 30 4B 03 6A 32|",within 45,distance 22; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,32396; reference:cve,2008-5409; classtype:attempted-user; sid:17430; rev:6; service:http; service:imap; service:pop3; )
02301 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader malformed TIFF remote code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|EB|/|ED|Z|B9|qX|F4 D8|C|F5|a|BF|+|0D 8C D2 F3 DD|*|EE 09|W|B1 B3 9B|P|EB AD D1 B3 07 A0|4|D8|m|7C 7F EB B5 EF|j|E8 F5|m[+t|8F 7C BC|f|BB 86|ql|F7 C0 C3 E8|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0188; reference:url,www.adobe.com/support/security/bulletins/apsb10-07.html; classtype:attempted-user; sid:16490; rev:8; service:http; service:imap; service:pop3; )
02302 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Foxit Reader createDataObject file write attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"createDataObject",nocase; pcre:"/^\s*\x5C?\x28\s*[\x22\x27][a-z]\x3A[\x2F\x5C]/iR"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,osvdb.org/show/osvdb/71104; reference:url,scarybeastsecurity.blogspot.com/2011/03/dangerous-file-write-bug-in-foxit-pdf.html; classtype:attempted-user; sid:21254; rev:6; service:http; service:imap; service:pop3; )
02303 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader javascript submitform memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"submitForm"; pcre:"/submitForm\s*\x28[^\x3b]+cURL\s*\x3a\s*[\x22\x27]\s*url\s*\x3a\s*(?!https?)[^\x27\x22\x23]*?\x23/ims"; isdataat:50; content:!"bGet",within 50,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-4371; reference:url,www.adobe.com/support/security/bulletins/apsb12-01.html; classtype:attempted-user; sid:20998; rev:4; service:http; service:imap; service:pop3; )
02304 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader U3D CLODMeshDeceleration code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"U3D|00|"; content:"|31 FF FF FF|",distance 0; byte_jump:2,8,relative,little; byte_test:4,>,200,12,relative,little; content:"|3C FF FF FF|",distance 0; byte_jump:2,8,relative,little; byte_test:4,<,200,12,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3953; classtype:attempted-user; sid:20429; rev:6; service:http; service:imap; service:pop3; )
02305 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader oversized object width attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/width",nocase; byte_test:7,>,1000000,1,relative,string; content:"/DCTDecode",distance 0,nocase; pcre:"/\x2fwidth[^\x3e]+\x2fDCTDecode/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2980; classtype:attempted-user; sid:16322; rev:9; service:http; service:imap; service:pop3; )
02306 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader U3D CLODMeshContinuation code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"U3D|00|"; content:"1|FF FF FF|",distance 0; byte_jump:2,8,relative,little; byte_test:4,<,16777216,12,relative,little; content:"<|FF FF FF|",distance 0; byte_jump:2,8,relative,little; byte_test:4,>,16777215,12,relative,little; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,36665; reference:cve,2009-2990; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; classtype:attempted-user; sid:16373; rev:9; service:http; service:imap; service:pop3; )
02307 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader File containing Flash use-after-free attack attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|3C 3C 2F 46 69 6C 74 65 72 2F 46 6C 61 74 65 44 65 63 6F 64 65 2F 46 69 72 73 74 20 39 39 2F 4C 65 6E 67 74 68 20 35 31 31 2F 4E 20 31 35 2F 54 79 70 65 2F 4F 62 6A 53 74 6D 3E 3E 73 74 72 65 61 6D 0D 0A 68 DE 6C 52 DB 6E E2 30|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1297; classtype:attempted-user; sid:16633; rev:11; service:http; service:imap; service:pop3; )
02308 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader sandbox disable attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|B6 84 05 8D 81 80 08 FF E3 A1 87 05 EA 88 A8 83 05 DE 8B B6 04 EA 80 80 08 D6 8B B6 04 99 D0 81 D0 06 EA 80 08 EA 80 A8 03 81 8A B6 04 D0 80 80|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-1353; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20162; rev:7; service:http; service:imap; service:pop3; )
02309 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader javascript in PDF go-to actions exploit attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/S /GoToR"; content:"/F |28|javascript:",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2101; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19254; rev:7; service:http; service:imap; service:pop3; )
02310 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader shell metacharacter code execution attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"begin|20|",depth 6; pcre:"/^begin\s\d+\s[^\s\r\n\t]*\x60/sm"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,10931; reference:cve,2004-0630; classtype:attempted-user; sid:18527; rev:8; service:http; service:imap; service:pop3; )
02311 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader JPX malformed code-block width attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|6A 50 20 20|"; content:"|FF 4F FF 51|",distance 0; byte_jump:2,36,relative,multiplier 3,big; content:"|FF 52 00 0C|",within 4; byte_test:1,>,16,5,relative; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,35274; reference:bugtraq,35289; reference:cve,2009-1859; reference:url,www.adobe.com/support/security/bulletins/apsb09-07.html; classtype:attempted-user; sid:15562; rev:9; service:http; service:imap; service:pop3; )
02312 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader media.newPlayer memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/S/JavaScript"; content:"this.media.newPlayer"; pcre:"/^\x5C?\x28null\x5C?\x29/R"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,37331; reference:cve,2009-4324; classtype:attempted-user; sid:16333; rev:11; service:http; service:imap; service:pop3; )
02313 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe JPEG2k uninitialized QCC memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|12 12 E0 0F 12 12 E0 0F 12 12 FF|]|00 16|LL"; content:"setTimeout|28 22|doSpray|28 29 22|,2500|29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2995; classtype:attempted-user; sid:16323; rev:9; service:http; service:imap; service:pop3; )
02314 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe collab.removeStateModel denial of service attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|5C|x00|5C|x00|5C|x00|5C|x00",nocase; content:"Collab.removeStateModel",nocase; pcre:"/var\s*(\w+)\s*\x3D\s*\x22\x5Cx00\x5Cx00\x5Cx00\x5Cx00.*\x22.*Collab\x2EremoveStateModel\s*\x28\s*\1.*\x29/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2988; classtype:attempted-user; sid:16175; rev:10; service:http; service:imap; service:pop3; )
02315 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe collab.addStateModel remote corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"Collab.addStateModel",nocase; content:"cname",nocase; content:"00",within 15,distance 2,nocase; pcre:"/Collab\x2EaddStateModel\s*\x28\s*\x7B.*cName\s*\x3A\s*\x22(\x22|\x5Cx00)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2996; classtype:attempted-user; sid:16176; rev:9; service:http; service:imap; service:pop3; )
02316 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader CoolType.dll remote memory corruption denial of service attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|78 9C C5 97 4D 4B C4 30 10 86 EF 85 FE 87 39 26 87 CD 26 33|"; content:"|AC 6D EE D5 DD 46 CF 88 D4 87 76 9D 7A D7 B3 A0 40 63 A7 6E F4 2C AA 27 8D A4 5E 35 59 B5 9B E3|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,41130; reference:cve,2010-2204; classtype:attempted-dos; sid:16801; rev:8; service:http; service:imap; service:pop3; )
02317 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Possible Adobe Reader ActionScript byte_array heap spray attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"ByteArray",nocase; content:"|04 0C 0C 0C 0C|",within 100; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,35759; reference:cve,2009-1862; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:attempted-user; sid:15728; rev:11; service:http; service:imap; service:pop3; )
02318 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader BMP color unused corruption"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|6D 70 29 3E 3E 0A 65 6E 64 6F 62 6A 0A 32 30 20 30 20 6F 62 6A 0A 3C 3C 2F 53 75 62 74 79 70 65 2F 69 6D 61 67 65 23 32 66 62 6D 70 3E 3E 73 74 72 65 61 6D 0A 42 4D 80 07 00 00 00 00 00 00 76 00 00 00 28 00 00 00 01 00 00 00 01 00 00 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-4372; reference:url,www.adobe.com/support/security/bulletins/apsb12-01.html; classtype:attempted-user; sid:20919; rev:3; service:http; service:imap; service:pop3; )
02319 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Adobe Reader U3D file include overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"CDF1048AB8979121691236CBF4378433"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2094; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19250; rev:4; service:http; service:imap; service:pop3; )
02320 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Adobe Reader U3D RHAdobeMeta Buffer Overflow"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|3C 3C 2F|Subtype|2F|U3D|2F|Length",nocase; content:"|48 89 EC 55 7B 4C 53 69 16 BF 3C 2C F4 21 A0 C2|"; content:"|95 96 0B 5C 0A 22 BD 76 78 8A D8 5A 40 1E 22 2D|",within 16; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,35282; reference:cve,2009-1855; classtype:attempted-user; sid:17526; rev:5; service:http; service:imap; service:pop3; )
02321 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat font parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|01|pmaxp|02 ED 0A 7B 00 00|p|0E 00 00 00 20|name|EA 2E F3 EE 00 00|p.|00 00 04|aposts|F1|o|84 00 00|t|8F 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,44203; reference:cve,2010-2862; classtype:attempted-user; sid:17288; rev:4; service:http; service:imap; service:pop3; )
02322 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat XML entity escape attempt"; flow:to_client,established; file_data; content:"<|21|ENTITY",nocase; content:"SYSTEM",within 50,nocase; content:"http|3A 2F 2F|",within 50,nocase; content:"http|3A 2F 2F|",within 500,nocase; pcre:"/<\x21ENTITY[^>]+SYSTEM[^>]+http\x3A\x2F\x2F[^>\s]+http\x3A\x2F\x2F/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-0604; reference:url,www.adobe.com/support/security/bulletins/apsb11-03.html; classtype:attempted-user; sid:18456; rev:7; service:http; service:imap; service:pop3; )
02323 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader malicious language.engtesselate.ln file download attempt"; flow:to_client,established; flowbits:isset,file.engtesselate; file_data; content:"2="; isdataat:255,relative; content:!"|0A|",within 255; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2011-2095; reference:url,www.adobe.com/support/security/bulletins/apsb11-16.html; classtype:attempted-user; sid:19253; rev:8; service:http; service:imap; service:pop3; )
02324 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader U3D progressive mesh continuation pointer overwrite attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<|FF FF FF C5 00 00 00 00 00 00 00 05 00|Box01|00 00 00 00 00 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01|k|01 00 00|k|01 00 00 D5 02 00 00 BF 85|]K|00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2998; classtype:attempted-user; sid:16173; rev:6; service:http; service:imap; service:pop3; )
02325 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader U3D progressive mesh continuation off by one index attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<|FF FF FF C5 00 00 00 00 00 00 00 05 00|Box01|00 00 00 00 00 00 00 00 08 00 00 00|ABCD"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-3458; classtype:attempted-user; sid:16174; rev:6; service:http; service:imap; service:pop3; )
02326 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader U3D line set heap corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"7|FF FF FF|h|00 00 00 00 00 00 00 06 00|Box_92|00 00 00 00 00 00 00 00 04 05 00 00| |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|AAAA"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2009-2997; classtype:attempted-user; sid:16172; rev:6; service:http; service:imap; service:pop3; )
02327 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt"; flow:to_client,established; file_data; content:"|35 3E 5D 0A 3E 3E 0A 73 74 61 72 74 78 72 65 66 0A 32 34 36 31 32 35 0A 25 25 45 4F 46 0A 0D 0A 25 53 49 47 4E 41 54 55 52 45 3A 20 E2 DA 47 7E AC 80 D7 7E AB 80|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-2883; reference:url,www.adobe.com/support/security/advisories/apsa10-02.html; classtype:attempted-user; sid:17233; rev:6; service:http; service:imap; service:pop3; )
02328 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader and Acrobat authplay.dll vulnerability exploit attempt"; flow:to_client,established; file_data; content:"|43 57 53 09 A2 D2 00 00 78 9C EC BD 79 7C 54 C5 D2 37 DE 7D|"; isdataat:316,relative; content:"|CF E7 77 BC EB 19 53 BF 99 F7 7C FB B8 D4 4B FA 7C EE E7 AC C7 83 AD 58 D8 F3 35 8B A5 1E B4 67 4D EA 3F EE 9E 3F 79 C9 AB ED 63 B6 F4 58 7A 57|",within 48,distance 316; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,40586; reference:cve,2010-1297; classtype:attempted-user; sid:16664; rev:4; service:http; service:imap; service:pop3; )
02330 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader/Acrobat Pro CFF font parsing heap overflow attempt"; flow:to_client,established; file_data; content:"6SC.Pseudo.Font.1|00 00 01 01 87|T|01 01 FF|T|00|V|02 00 01|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1241; classtype:attempted-user; sid:16546; rev:7; service:http; service:imap; service:pop3; )
02331 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Possible malicious PDF detection - qweqwe="; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"><qwe qweqwe="; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:22941; rev:4; service:http; service:imap; service:pop3; )
02332 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Unknown malicious PDF - CreationDate"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/CreationDate (D:20100829161936"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:23043; rev:1; service:http; service:imap; service:pop3; )
02333 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Unknown malicious PDF - CreationDate"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/CreationDate (D:20120421195855"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:23044; rev:1; service:http; service:imap; service:pop3; )
02334 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Unknown malicious PDF - Title"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Title (0aktEPbG1LcQ9f6d8l32m7gI5eY4)>>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:23045; rev:1; service:http; service:imap; service:pop3; )
02335 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Unknown Malicious PDF - CreationDate"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<</Creator(sli)/ModDate(D:20080817171147-07|27|00|27|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:23140; rev:1; service:http; service:imap; service:pop3; )
02336 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe flash player newfunction memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:" (lolol|5C|056swf)"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1297; classtype:attempted-user; sid:23263; rev:2; service:http; service:imap; service:pop3; )
02354 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<template xmlns="; content:"http|3A|//www.xfa.org/",distance 1; content:"<event activity",distance 0; content:"initialize",within 50,distance 1; content:"application/x-javascript",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-1525; reference:cve,2012-1530; reference:url,prosauce.org/blog/2010/08/analyzing-cve-2010-0188-exploits-the-legend-of-pat-casey-part-1/; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; reference:url,www.thebaskins.com/main/component/content/article/15-work/58-malicious-pdf-analysis-reverse-code-obfuscation; reference:url,www.virustotal.com/file/ECA91825CA5CF6D8C06815CB471A0968F540878121CB13F971FD45C3EA3EBBAC/analysis/; classtype:trojan-activity; sid:23612; rev:4; service:http; service:imap; service:pop3; )
02355 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Blackhole exploit kit related malicious file detection"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.",depth 7; content:"<</Creator(",distance 0,nocase; pcre:"/<<\x2fCreator\x28\d{2,3}(.)\d{2,3}\1\d{2,3}\1\d{2,3}\1/smi"; content:")/ModDate",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:23851; rev:2; service:http; service:imap; service:pop3; )
02357 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader invalid inline image attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"|30 34 9C 17 0E D6 9C 3D 64 EC E2 A4 D2 E0 7F EA FC DA 2E 70 CF D7 15 4E AC D7 11 7D 2F 94 6B 8E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4151; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23868; rev:2; service:http; service:imap; service:pop3; )
02359 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader postscript font execution malformed subroutine entries attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|1D CD 77 ED B6 D2 C2 E2 FD 7A C5 C0 EE FE AC A0 11 ED 3B 6A 90 84 3B CA A8 49 3E E9 9E 59 63 1E|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4152; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23874; rev:2; service:http; service:imap; service:pop3; )
02361 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader Texture Declaration buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"stream|0A|U3D"; content:"|14 FF FF FF|"; content:"|55 FF FF FF|",distance 0; byte_jump:2,8,relative,little,post_offset 9; byte_test:4,>=,0x1,0,relative,little; content:"|00 0E 01 00|",within 4,distance 4; byte_test:2,>,0x260,4,relative,little; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2049; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:23879; rev:1; service:http; service:imap; service:pop3; )
02364 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Type /Annot|0A|",nocase; content:"/Subtype/RichMedia",distance 0,nocase; content:"getAnnotsRichMedia|28|"; pcre:"/var (?P<var>\w+)\s*=\s*getAnnotsRichMedia\x28.*?(?P=var)\.(pop|shift).*?>> endobj/ims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4147; classtype:attempted-dos; sid:23882; rev:1; service:http; service:imap; service:pop3; )
02365 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<</Type/PROJCS",fast_pattern; content:"/WKT|28|",within 15; isdataat:1024,relative; content:!">",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2050; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-dos; sid:23889; rev:2; service:http; service:imap; service:pop3; )
02366 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<</Type/GEOGCS",fast_pattern; content:"/WKT|28|",within 15; isdataat:1024,relative; content:!">",within 1024; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-2050; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-dos; sid:23890; rev:2; service:http; service:imap; service:pop3; )
02369 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-PDF CUPS and Xpdf JBIG2 symbol dictionary buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"JBIG2Decode"; content:"|03 FF FD FF 02 FE FE FE 00 00 00 36 FF FF FF F0 94 6B 62 1B|",within 1000; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-0195; reference:url,www.cups.org/str.php?L3129; classtype:attempted-user; sid:17641; rev:3; service:http; )
02370 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat Reader malicious charstring stream attempt"; flow:to_client,established; file_data; content:"|F7 0F 8E 10 DF 11 F0 13 0F 14 58 15 4D 16 7E 17 A6 19 15 1A 8C 1B 8E 1C E4 1E 2B 1F 13 20 26 22 04 24 1B 25 53 25 B3 26 A4 27 F8 28 D4 29 E0 2A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2012-4159; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:24148; rev:1; service:http; service:imap; service:pop3; )
02372 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat and Acrobat Reader embedded TTF bytecode memory corruption attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|2C 23 4B 54 58 20 20 60 B0 01 60 25 8A 38 1B 23 21 59 B8 FF FF 62 2D|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,55015; reference:cve,2012-4154; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-user; sid:24152; rev:1; service:http; service:imap; service:pop3; )
02374 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Overly large CreationDate within a pdf - likely malicious"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/CreationDate("; isdataat:500,relative; content:")>>",distance 0; pcre:"/\/CreationDate\x28[^\x3c\x29]{500}/"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:misc-activity; sid:24263; rev:4; service:http; service:imap; service:pop3; )
02376 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Sophos Antivirus PDF parsing stack overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.",nocase; content:"|49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24 49 92 24|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,lock.cmpxchg8b.com/sophailv2.pdf; reference:url,nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/; classtype:attempted-user; sid:24625; rev:3; service:http; service:imap; service:pop3; )
02378 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Sophos Antivirus PDF parsing stack overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<</Filter",nocase; content:"/Standard",within 15,fast_pattern,nocase; content:"/Length",within 15,nocase; byte_test:10,>,256,0,relative,string; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,lock.cmpxchg8b.com/sophailv2.pdf; reference:url,nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/; classtype:attempted-user; sid:24763; rev:1; service:http; service:imap; service:pop3; )
02380 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF OpenType parsing buffer overflow attempt"; flow:to_client, established; flowbits:isset,file.pdf; file_data; content:"/Type /Font|0A|/Subtype /TrueType|0A|"; content:"ttcf",distance 0; byte_test:4,>,0x40000000,4,relative; metadata:policy balanced-ips drop,service http,service imap,service pop3; reference:cve,2013-0604; classtype:attempted-user; sid:25461; rev:1; service:http; service:imap; service:pop3; )
02382 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Acrobat Reader structtreeroot children recursive call denial of service attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|0A 73 74 72 65 61 6D 0D 0A 78 9C BD 57 4D 6F DB 48 0C BD 2F B0 FF 81 C7 EC 49 F3 FD 01 14 05 D2|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0626; reference:url,www.adobe.com/support/security/bulletins/apsb13-02.html; classtype:denial-of-service; sid:25467; rev:1; service:http; service:imap; service:pop3; )
02386 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader known malicious variable exploit attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/OpenAction "; content:"/JS ",within 100; content:"ROP_ADD_ESP_4 = "; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-0640; reference:cve,2013-0641; reference:url,osvdb.org/show/osvdb/90169; reference:url,www.adobe.com/support/security/advisories/apsa13-02.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-07.html; classtype:attempted-admin; sid:25818; rev:4; service:http; service:imap; service:pop3; )
02388 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader XML Java used in app.setTimeOut"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"app.setTimeOut"; content:"|2F|JavaScript"; content:"|2F|XFA"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,57931; reference:cve,2013-0640; reference:cve,2013-0641; reference:url,www.adobe.com/support/security/advisories/apsa13-02.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-07.html; classtype:attempted-admin; sid:26021; rev:3; service:http; service:imap; service:pop3; )
02391 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF version 1.1 with FlateDecode embedded - seen in exploit kits"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.1"; content:"/FlateDecode",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26231; rev:1; service:http; )
02392 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader javascript regex embedded sandbox escape attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|5C|(|5C|)|5C|(|5C|)|5C|(|5C|)|5C|(|5C|)|5C|(|5C|)",fast_pattern; content:"RegEx",within 100,distance -100; pcre:"/^p?\s*\x5c\([^\x3b]*?\x5c\(\x5c\)\x5c\(\x5c\)\x5c\(\x5c\)\x5c\(\x5c\)\x5c\(\x5c\)/Rims"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-2550; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26650; rev:2; service:http; service:imap; service:pop3; )
02393 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt"; flow:to_client,established; file_data; content:"|C6 1D 00 E0 F7 FE 14 37 BD 08 6C 38 FA 1B 3B 69 62 2B 81 EB A6 5D 86 0D 68 96 74 2F 86 01 05 2D|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-2729; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26651; rev:1; service:http; service:imap; service:pop3; )
02395 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF PDF with click-to-launch executable"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"obj",nocase; content:"<<",within 4; content:"/La",within 100,nocase; content:"/F"; pcre:"/\/La(.)*?\s*?\/F[^\/>]+\.(exe|dll|swf)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-1240; reference:url,blog.didierstevens.com/2010/03/29/escape-from-pdf/; reference:url,blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html; classtype:misc-activity; sid:26661; rev:1; service:http; service:imap; service:pop3; )
02397 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF Adobe Reader dll injection sandbox escape"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|6A 00 68 3F 00 0F 00 6A 00 6A 00 6A 00 68 6F 05 00 00 68 01 00 00 80 89 54 24 40 FF 54 24 4C 83 EC 0C 68 E0 01 00 00 8D 44 24 68 50 6A 00 6A 00 68 A9 05 00 00 FF B4 24 78 10 00 00 FF 54 24 50 68 C5 00 00 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-2730; reference:url,www.adobe.com/support/security/bulletins/apsb13-15.html; classtype:attempted-user; sid:26694; rev:2; service:http; service:imap; service:pop3; )
02402 alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE hex-encoded create_function detected"; flow:to_client,established; file_data; content:"|5C|x63|5C|x72|5C|x65|5C|x61|5C|x74|5C|x65|5C|x5f|5C|x66|5C|x75|5C|x6e|5C|x63|5C|x74|5C|x69|5C|x6f|5C|x6e"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; classtype:attempted-user; sid:22098; rev:1; service:http; )
02403 alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Win32.Virut web propagation detection"; flow:to_client,established; file_data; content:"<iframe"; content:".pl/rc/",distance 0,fast_pattern; pcre:"/\x3ciframe[^\x3e]*?src\x3d\x22http\x3a\x2f\x2f[^\x26\x2e]+\x26\x2346\x3b[^\x2e]+\x2epl\x2frc\x2f\x22/"; metadata:impact_flag red,policy balanced-ips alert,policy security-ips alert,service http; reference:url,securelist.com/en/analysis/204792122/; classtype:trojan-activity; sid:22940; rev:1; service:http; )
02408 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE base64-encoded c99shell download"; flow:to_client,established; file_data; content:"KioNCioNCioJCQkJCWM5OXNoZWxsLnBocCB2"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:trojan-activity; sid:23016; rev:3; service:http; service:imap; service:pop3; )
02409 alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE WSO web shell"; flow:to_client, established; file_data; content:"WSO"; content:"toolsTbl"; content:"toolsInp"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21117; rev:2; service:http; )
02410 alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE WSO web shell security information display"; flow:to_client, established; file_data; content:"WSO"; content:"var a_ = 'SecInfo'"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21118; rev:2; service:http; )
02411 alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE WSO web shell interactive file system information display"; flow:to_client, established; file_data; content:"WSO"; content:"var a_ = 'FilesMan'"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21119; rev:2; service:http; )
02412 alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE WSO web shell interactive console display"; flow:to_client, established; file_data; content:"WSO"; content:"var a_ = 'Console'"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21120; rev:2; service:http; )
02413 alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE WSO web shell interactive SQL display"; flow:to_client, established; file_data; content:"WSO"; content:"var a_ = 'Sql'"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,thehackernews.com/2011/06/wso-new-version-25-web-shell-2011.html; classtype:trojan-activity; sid:21121; rev:2; service:http; )
02414 alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell"; flow:to_client,established; file_data; content:"<title>MulCiShell"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21129; rev:3; service:http; )
02415 alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell enumeration page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Enumerated shell link:"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21130; rev:3; service:http; )
02416 alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell domain lookup page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Enter any Domain-name to lookup"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21131; rev:3; service:http; )
02417 alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell sql interaction page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Host:"; content:"Username:",distance 0; content:"Password:",distance 0; content:"Port:",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21132; rev:3; service:http; )
02418 alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell encoder page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Encrypt"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21133; rev:3; service:http; )
02419 alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell security information page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"PHP Version"; content:"Safe mode",distance 0; content:"Magic_Quotes",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21134; rev:3; service:http; )
02420 alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell password cracking page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Password crackers"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21135; rev:3; service:http; )
02421 alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell security bypass page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Security (open_basedir) bypassers"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21136; rev:3; service:http; )
02422 alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell tools page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Port scanner"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21137; rev:3; service:http; )
02423 alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell database parsing page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Database parser"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21138; rev:3; service:http; )
02424 alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell spread shell page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"[ Kill Shell ]"; content:"This tool will attempt to copy the shell into every writable director",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21139; rev:3; service:http; )
02425 alert tcp any $HTTP_PORTS -> any any ( msg:"INDICATOR-COMPROMISE Mulcishell web shell kill shell page"; flow:to_client,established; file_data; content:"<title>MulCiShell"; content:"Do you *really* want to kill the shell?"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3502.0; classtype:trojan-activity; sid:21140; rev:3; service:http; )
02427 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE BeEF javascript hook.js download attempt"; flow:to_client,established; file_data; content:"beef.onpopstate.push(function(event)"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:attempted-user; sid:23107; rev:3; service:http; )
02430 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE config.inc.php in iframe"; flow:to_client,established; file_data; content:"<iframe"; content:"config.inc.php",within 100; content:"</iframe>",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html; classtype:trojan-activity; sid:26585; rev:1; service:http; )
02432 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Dadongs obfuscated javascript"; flow:to_client,established; file_data; content:"(|22|dadongs=|22|)"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/; classtype:misc-activity; sid:21519; rev:3; service:http; service:imap; service:pop3; )
02434 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|from|22|+|22|CharCod|22|+|22|e|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:21580; rev:3; service:http; service:imap; service:pop3; )
02435 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|fromCharCod|22|+|22|e|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:21579; rev:4; service:http; service:imap; service:pop3; )
02436 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - eval"; flow:to_client,established; file_data; content:"|22|eva|22|+|22|l|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:21578; rev:4; service:http; service:imap; service:pop3; )
02437 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION JavaScript obfuscation - charcode"; flow:to_client,established; file_data; content:"|22|c|22|+|22|h|22|+|22|ar|22|+|22|Code|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:21577; rev:4; service:http; service:imap; service:pop3; )
02439 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - eval"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|",distance 0,nocase; content:"e|00|v|00|a|00|l|00|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:22071; rev:1; service:http; service:imap; service:pop3; )
02440 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - fromCharCode"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|",distance 0,nocase; content:"f|00|r|00|o|00|m|00|C|00|h|00|a|00|r|00|C|00|o|00|d|00|e|00|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:22072; rev:1; service:http; service:imap; service:pop3; )
02441 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - unescape"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|",distance 0,nocase; content:"u|00|n|00|e|00|s|00|c|00|a|00|p|00|e|00|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:22073; rev:1; service:http; service:imap; service:pop3; )
02442 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - charCode"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"O|00|C|00|X|00|D|00|A|00|T|00|A|00|"; content:"j|00|a|00|v|00|a|00|s|00|c|00|r|00|i|00|p|00|t|00|",distance 0,nocase; content:"c|00|h|00|a|00|r|00|C|00|o|00|d|00|e|00|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:22074; rev:1; service:http; service:imap; service:pop3; )
02443 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - join"; flow:to_client,established; file_data; content:"b|3D 22|j|22 2B 22|o|22 2B 27|i|27 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:bad-unknown; sid:23085; rev:1; service:http; service:imap; service:pop3; )
02444 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - push"; flow:to_client,established; file_data; content:"a|3D 27|pus|27 2B 27|h|27 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:bad-unknown; sid:23086; rev:1; service:http; service:imap; service:pop3; )
02445 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - xval"; flow:to_client,established; file_data; content:"q|3D|x|2B 27|v|27 2B 27|al|27 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:bad-unknown; sid:23087; rev:1; service:http; service:imap; service:pop3; )
02446 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Obfuscated javascript string - qweqwe"; flow:to_client,established; file_data; content:"<qwe qweqwe=|27|asd|27|/>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:bad-unknown; sid:23088; rev:1; service:http; service:imap; service:pop3; )
02447 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Obfuscated javascript strings - obfuscation pattern"; flow:to_client,established; file_data; content:"|3A|present>"; content:"|3A|interactive>1</",distance 0; pcre:"/\x3c(?P<string>\w+)\x3apresent.*?\x3c(?P=string)\x3ainteractive.*?\x3c\x2f(?P=string)\x3ainteractive/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:bad-unknown; sid:23089; rev:1; service:http; service:imap; service:pop3; )
02448 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION eval gzinflate base64_decode call - likely malicious"; flow:to_client,established; file_data; content:"eval|28|",nocase; content:"gzinflate|28|",within 25,nocase; content:"base64_decode|28|",within 25,nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:url,labs.snort.org/docs/23113.txt; reference:url,vrt-blog.snort.org/2012/06/web-shell-poses-as-gif.html; classtype:misc-activity; sid:23113; rev:4; service:http; service:imap; service:pop3; )
02449 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious"; flow:to_client,established; file_data; content:"GIF89a",depth 6,nocase; content:"<?php",within 100,nocase; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; reference:url,labs.snort.org/docs/23114.txt; reference:url,vrt-blog.snort.org/2012/06/web-shell-poses-as-gif.html; classtype:misc-activity; sid:23114; rev:5; service:http; service:imap; service:pop3; )
02450 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|fromCharC|22|+|22|ode|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:23160; rev:1; service:http; service:imap; service:pop3; )
02451 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Javascript obfuscation - eval"; flow:to_client,established; file_data; content:"|22|e|22|+|22|val|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:23161; rev:1; service:http; service:imap; service:pop3; )
02452 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION JavaScript error suppression routine"; flow:to_client,established; file_data; content:"window.onerror = function|20 28 29 20 7B|return true"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:misc-activity; sid:23226; rev:3; service:http; service:imap; service:pop3; )
02453 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION known packer routine with secondary obfuscation"; flow:to_client,established; file_data; content:"eval(function(p,a,c,k,e,r)"; content:"|7C|fromCharCode|7C|",nocase; content:"|7C|charCodeAt|7C|",distance 0,nocase; content:"|7C|eval|7C|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http,service imap,service pop3; reference:url,dean.edwards.name/packer/; classtype:misc-activity; sid:23621; rev:4; service:http; service:imap; service:pop3; )
02454 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears obfuscated - likely packer or encoder"; flow:to_client,established; file_data; content:"|5B 27|parse|27 2B 27|Int|27 5D 28|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http,service imap,service pop3; reference:url,labs.snort.org/docs/23636.txt; classtype:trojan-activity; sid:23636; rev:6; service:http; service:imap; service:pop3; )
02455 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION base64-encoded uri data object found"; flow:to_client,established; file_data; content:"base64"; pcre:"/<\s*object[^>]*?data\s*\x3A[^,>]*?base64/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,tools.ietf.org/html/rfc2397; classtype:policy-violation; sid:17291; rev:4; service:http; )
02462 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION document write of unescaped value with remote script"; flow:to_client,established; file_data; content:"document.write|28|unescape|28 27|%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F"; metadata:policy balanced-ips alert,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:24167; rev:3; service:http; service:imap; service:pop3; )
02463 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION obfuscated document command - used in exploit kits"; flow:to_client,established; file_data; content:"|22|doc|22 2B 22|ument|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:25592; rev:2; service:http; )
02465 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION fromCharCode seen in exploit kit landing pages"; flow:to_client,established; file_data; content:"|22|f|22|+|22|ro|22|+|22|mCh|22|+|22|arCode|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26092; rev:1; service:http; )
02466 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION String.fromCharCode concatenation"; flow:to_client,established; file_data; content:"|22|fro|22|+|22|mC|22|+|22|harCode|22|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26101; rev:1; service:http; )
02467 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION obfuscated portable executable - seen in exploit kits"; flow:to_client,established; file_data; content:"|88 54 68 25 DA 20 70 FE C5 67 72 ED C3 20 63 ED C6 6E 6F F8 88 62 65 AC DA 75 6E AC BF 6E 20 10 E6 53 20 E1 C5 64 65 FA A3 0D 0A E8 A8|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26352; rev:1; service:http; )
02468 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION known malicious JavaScript decryption routine"; flow:to_client,established; file_data; content:"location.search.substring|28|1|29|",nocase; content:".charCodeAt|28|",within 200; pcre:"/var\s+(\w+)\s*=\s*location\.search\.substring\(1\).{1,200}\1\.charCodeAt\(i\x25\1\.length\)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:attempted-user; sid:18239; rev:4; service:http; )
02469 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION base64-encoded nop sled detected"; flow:to_client,established; file_data; content:"JXU0MTQxJXU0MTQxJXU0MTQx"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:26565; rev:1; service:http; service:imap; service:pop3; )
02470 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION base64-encoded nop sled detected"; flow:to_client,established; file_data; content:"NDE0MSV1NDE0MSV1NDE0"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:26566; rev:1; service:http; service:imap; service:pop3; )
02471 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION base64-encoded nop sled detected"; flow:to_client,established; file_data; content:"dTQxNDEldTQxNDEldTQxNDEK"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:trojan-activity; sid:26567; rev:1; service:http; service:imap; service:pop3; )
02472 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits"; flow:to_client,established; file_data; content:"|22|getEl|22|+|22|eme|22|+|22|ntsByTagName"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27073; rev:1; service:http; )
02473 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION obfuscated getElementsByTagName string - seen in exploit kits"; flow:to_client,established; file_data; content:"|22|g|22|+|22|e|22|+|22|tEleme|22|+|22|nts|22|+|22|ByTagName|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27074; rev:1; service:http; )
02474 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode"; flow:to_client,established; file_data; content:"|22|fro|22|+|22|mC|22|+|22|harC|22|+|22|o|22|+|22|de|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:attempted-user; sid:27272; rev:1; service:http; service:imap; service:pop3; )
02475 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Javascript obfuscation - split"; flow:to_client,established; file_data; content:"|22|s|22|+|22|pli|22|+|22|t|22|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:attempted-user; sid:27593; rev:1; service:http; )
02493 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE JavaScript var shellcode"; flow:to_client,established; file_data; content:" shellcode",nocase; pcre:"/var\s+shellcode\s*=/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:shellcode-detect; sid:17392; rev:5; service:http; service:imap; service:pop3; )
02494 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE JavaScript var heapspray"; flow:to_client,established; file_data; content:" heapspray",nocase; pcre:"/var\s+heapspray[A-Z\d_\s]*=/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; classtype:shellcode-detect; sid:17393; rev:6; service:http; service:imap; service:pop3; )
02520 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case javascript decoder"; flow:established,to_client; file_data; content:"%u5456%u3358%u5630%u3458%u5041%u4130%u4833%u3048%u3041%u4130%u4142%u4241%u4154%u5141%u4132%u3242%u4242%u4230%u5842%u3850%u4341"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; classtype:shellcode-detect; sid:23236; rev:2; service:http; )
02557 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR Win.Backdoor.Dulevco.A runtime detection"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"/index.php",nocase; content:"COMPNAME_END",nocase; content:"COMPNAME",within 8,distance 4,nocase; content:"CODE_START",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/en/file/B91D64E9FE35C0B2164239E751F353CCCE861A718FAEF5E4D4887DB7BAD0BAEC/analysis/; classtype:trojan-activity; sid:26610; rev:2; service:http; service:imap; service:pop3; )
02603 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.BamCompiled variant inbound updates"; flow:to_client,established; file_data; content:"<zombis>"; pcre:"/<zombis>\s*<JUNIPER-M3>.*?</JUNIPER-M3>\s*</zombis>/si"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/7cc3fa3197a5efd486d64483855cb55801e32ecd1e51a9b5e4cdf64f454874dc/analysis/; classtype:trojan-activity; sid:21984; rev:2; service:http; )
02618 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.Sinowal javascript delivery method"; flow:to_client,established; file_data; content:"(function(){function "; content:"window.navigator.userAgent.indexOf(|22|Windows NT 6.|22|",distance 0; content:"else setTimeout(",distance 0; content:",10)}",distance 0; content:"()})()|3B|",distance 0; pcre:"/\x28function\x28\x29\x7bfunction\x20([a-zA-Z0-9]+).*?else\x20setTimeout\x28\1\x2c10\x29\x7d\1\x28\x29/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,wepawet.cs.ucsb.edu/view.php?hash=03c2bae0e0a779cda0f3a2c8679a46ef&type=js; classtype:trojan-activity; sid:21631; rev:3; service:http; )
02627 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Cutwail landing page connection"; flow:to_client,established; file_data; content:"<h1>WAIT PLEASE</h1>|0D 0A 20|<h3>Loading...</h3>"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,en.wikipedia.org/wiki/Cutwail_botnet; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32%2FCutwail; classtype:attempted-user; sid:21548; rev:4; service:http; service:imap; service:pop3; )
02649 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC RSPlug Win.Trojan.file download"; flow:to_client,established; file_data; content:"|23|!/bin/sh",nocase; content:"<|22|!0<FEM87|29|Y4V5R=FEC92!|5C 28|'-E9|22|`",distance 50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/osxrsplugf.html; classtype:misc-activity; sid:15565; rev:8; service:http; )
02650 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC RSPlug Win.Trojan.file download"; flow:to_client,established; file_data; content:"|23|!/bin/sh",nocase; content:"4A4*FD32[8|22|-|29|Y|22|4|28|EB|28 22|!&0H|28 22|8",distance 50; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,service http; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/osxrsplugf.html; classtype:misc-activity; sid:15564; rev:8; service:http; )
02655 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Mentor inbound connection - post infection"; flow:to_client,established; flowbits:isset,trojan.mentor; file_data; content:"[UPDATE]|0D 0A|VER = "; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/e7b27ac6d0268b4170a428fdec827078d36723e2abace1fc521cc6e5c6310e54/analysis/; classtype:trojan-activity; sid:21435; rev:4; service:http; )
02657 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.W32.BeeOne runtime traffic detected"; flow:to_client,established; file_data; content:"cbs.firstcitiz"; content:"ibbpowerlink.com",distance 0; content:"cashmanager.mizuhoe-treasurer.com",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/1f14a55b06447c5e8b4c7f4153314daf295aaf413d8c645263273574b755e71f/analysis/; classtype:trojan-activity; sid:21430; rev:2; service:http; )
02801 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Work.Rokiwobi inbound command from C&C"; flow:to_client,established; file_data; content:"cmdtimer~~",depth 10; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/8ec9b371b8a2092ffe93ac32e5029911c118256504fb9ba1426830010a513119/analysis/; classtype:trojan-activity; sid:24185; rev:1; service:http; )
02840 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC VBMania mass mailing worm download attempt"; flow:to_client,established; file_data; content:"|53 00 65 00 6E 00 64 00 45 00 6D 00 61 00 69 00 6C 00 2E 00 64 00 6C 00 6C 00 00 00|"; content:"|2E 00 69 00 71 00 00 00|",distance 0; content:"|2E 00 69 00 71 00 00 00|",distance 0; content:"|2E 00 69 00 71 00 00 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file-scan/report.html?id=fedb7b404754cf85737fb7e50f33324b84eb4c0b98024c7d3302039a901b04b7-1284133892; classtype:trojan-activity; sid:17235; rev:3; service:http; )
02855 alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Exploit.Hacktool variant outbound connection"; flow:to_client,established; file_data; content:"proxy server on port |5B|"; content:"waiting for client |2E 2E 2E|",nocase; content:"Authentication begin|2E 2E 2E 2E|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:25093; rev:2; service:http; )
02931 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.Kuluoz variant inbound run command from cnc"; flow:to_client,established; file_data; content:"c=run",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/2A6656AD2DF3FAB17DFA97C1FFB2D8D073AEFEACC77C0A753BE5FC346B0F3D98/analysis/; classtype:attempted-admin; sid:26677; rev:1; service:http; )
02932 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.Kuluoz variant inbound run command from cnc"; flow:to_client,established; file_data; content:"c=idl&",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/2A6656AD2DF3FAB17DFA97C1FFB2D8D073AEFEACC77C0A753BE5FC346B0F3D98/analysis/; classtype:attempted-admin; sid:26678; rev:1; service:http; )
02933 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.Kuluoz variant inbound run command from cnc"; flow:to_client,established; file_data; content:"c=upd&",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/2A6656AD2DF3FAB17DFA97C1FFB2D8D073AEFEACC77C0A753BE5FC346B0F3D98/analysis/; classtype:attempted-admin; sid:26679; rev:1; service:http; )
02934 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.Kuluoz variant inbound run command from cnc"; flow:to_client,established; file_data; content:"c=rrm&",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/2A6656AD2DF3FAB17DFA97C1FFB2D8D073AEFEACC77C0A753BE5FC346B0F3D98/analysis/; classtype:attempted-admin; sid:26680; rev:1; service:http; )
02935 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Trojan.Kuluoz variant inbound run command from cnc"; flow:to_client,established; file_data; content:"c=rem&",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/2A6656AD2DF3FAB17DFA97C1FFB2D8D073AEFEACC77C0A753BE5FC346B0F3D98/analysis/; classtype:attempted-admin; sid:26681; rev:1; service:http; )
02953 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc http command"; flow:to_client,established; file_data; content:"http|7C|",depth 5; pcre:"/^http\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26725; rev:2; service:http; )
02954 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc stop command"; flow:to_client,established; file_data; content:"stop|7C|",depth 5; pcre:"/^stop\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26726; rev:2; service:http; )
02955 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc die command"; flow:to_client,established; file_data; content:"die|7C|",depth 4; pcre:"/^die\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26727; rev:2; service:http; )
02956 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc sleep command"; flow:to_client,established; file_data; content:"sleep|7C|",depth 6; pcre:"/^sleep\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26728; rev:2; service:http; )
02957 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc simple command"; flow:to_client,established; file_data; content:"simple|7C|",depth 7; pcre:"/^simpel\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26729; rev:2; service:http; )
02958 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc loginpost command"; flow:to_client,established; file_data; content:"loginpost|7C|",depth 10; pcre:"/^loginpost\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26730; rev:2; service:http; )
02959 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc datapost command"; flow:to_client,established; file_data; content:"datapost|7C|",depth 9; pcre:"/^datapost\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26731; rev:2; service:http; )
02960 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc syn command"; flow:to_client,established; file_data; content:"syn|7C|",depth 4; pcre:"/^syn\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26732; rev:2; service:http; )
02961 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc udp command"; flow:to_client,established; file_data; content:"udp|7C|",depth 4; pcre:"/^udp\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26733; rev:2; service:http; )
02962 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc udpdata command"; flow:to_client,established; file_data; content:"udpdata|7C|",depth 8; pcre:"/^udpdata\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26734; rev:2; service:http; )
02963 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc data command"; flow:to_client,established; file_data; content:"data|7C|",depth 5; pcre:"/^data\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26735; rev:2; service:http; )
02964 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc icmp command"; flow:to_client,established; file_data; content:"icmp|7C|",depth 5; pcre:"/^icmp\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26736; rev:2; service:http; )
02965 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc tcpdata command"; flow:to_client,established; file_data; content:"tcpdata|7C|",depth 8; pcre:"/^tcpdata\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26737; rev:2; service:http; )
02966 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc dataget command"; flow:to_client,established; file_data; content:"dataget|7C|",depth 8; pcre:"/^dataget\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26738; rev:2; service:http; )
02967 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc connect command"; flow:to_client,established; file_data; content:"connect|7C|",depth 8; pcre:"/^connect\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26739; rev:2; service:http; )
02968 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc dns command"; flow:to_client,established; file_data; content:"dns|7C|",depth 4; pcre:"/^dns\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26740; rev:2; service:http; )
02969 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc exec command"; flow:to_client,established; file_data; content:"exec|7C|",depth 5; pcre:"/^exec\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26741; rev:2; service:http; )
02970 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc resolve command"; flow:to_client,established; file_data; content:"resolve|7C|",depth 8; pcre:"/^resolve\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26742; rev:2; service:http; )
02971 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc antiddos command"; flow:to_client,established; file_data; content:"antiddos|7C|",depth 9; pcre:"/^antiddos\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26743; rev:2; service:http; )
02972 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc range command"; flow:to_client,established; file_data; content:"range|7C|",depth 6; pcre:"/^range\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26744; rev:2; service:http; )
02973 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc ftp command"; flow:to_client,established; file_data; content:"ftp|7C|",depth 4; pcre:"/^ftp\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26745; rev:2; service:http; )
02974 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc download command"; flow:to_client,established; file_data; content:"download|7C|",depth 9; pcre:"/^download\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26746; rev:2; service:http; )
02975 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc fastddos command"; flow:to_client,established; file_data; content:"fastddos|7C|",depth 9; pcre:"/^fastddos\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26747; rev:2; service:http; )
02976 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc slowhttp command"; flow:to_client,established; file_data; content:"slowhttp|7C|",depth 9; pcre:"/^slowhttp\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26748; rev:2; service:http; )
02977 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc allhttp command"; flow:to_client,established; file_data; content:"allhttp|7C|",depth 8; pcre:"/^allhttp\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26749; rev:2; service:http; )
02978 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc full command"; flow:to_client,established; file_data; content:"full|7C|",depth 5; pcre:"/^full\x7c\d+\x7c/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26750; rev:2; service:http; )
02979 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Harbinger rootkit click fraud HTTP response"; flow:to_client,established; file_data; content:"http://",depth 7; content:"|7C|Mozilla/"; pcre:"/\|(25[0-5]|2[0-4]\d|[01]?\d\d?)\.(25[0-5]|2[0-4]\d|[01]?\d\d?)\.(25[0-5]|2[0-4]\d|[01]?\d\d?)\.(25[0-5]|2[0-4]\d|[01]?\d\d?)\|\d+\|/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26752; rev:1; service:http; )
02985 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC cridex HTTP Response - default0.js"; flow:to_client,established; file_data; content:"|00|<script type=|22|text/javascript|22| src=|22|/scripts/default0.js|22|></script>|00|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26780; rev:1; service:http; )
02995 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC BitBot Idle C2 response"; flow:to_client,established; file_data; content:"<|5C||5C||5C|>IDLE<|5C||5C||5C|>",depth 18; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,blogs.mcafee.com/mcafee-labs/delving-deeply-into-a-bitcoin-botnet; classtype:trojan-activity; sid:26837; rev:1; service:http; )
03006 alert tcp $EXTERNAL_NET [$HTTP_PORTS,8264,8500] -> $HOME_NET any ( msg:"MALWARE-CNC WIN.Trojan.PipCreat RAT dropper download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"are you there!@#$%^&*()_+"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.cyberengineeringservices.com/login-exe-analysis-trojan-pipcreat/; classtype:trojan-activity; sid:26941; rev:2; service:http; )
03025 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC WIN.Trojan.Zb