00301 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0A 43 6F 6E 74 65 6E 74 2D 52 61 6E 67 65 3A 0D 09 09 09 09 09 09 09 09 09 0A 0D 0A 20 20|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21993; rev:2; service:http; )
00302 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 20 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0A 43 6F 6E 74 65 6E 74 2D 52 61 6E 67 65 3A 0A 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21992; rev:2; service:http; )
00303 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"|48 54 54 50 2F 2E 0A 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 3A 64 65 66 6C 61 74 65 0D 09 0A 0D 0A 20 20|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:21991; rev:2; service:http; )
00304 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt"; flow:to_client,established; content:"Content-Encoding|3A|deflate",nocase; content:"|5C|Content-Range|3A 0D 0A 0D 0A 0D 0A 09| |09 09| |09| |09 09 09 09 09| |09 09| |09| |09 09| |09 09| |09 09 09| |09| |09| |09| |09| |09 09 09| |09 09| |09| |09 09 09| |09| |09| |09| |09 09 09 09 09 09| |09 09| |09|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2009-1547; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-054; classtype:attempted-user; sid:16149; rev:7; service:http; )
00308 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt"; flow:to_client,established; content:"document.writeln|28 28|block.length|2B|memory|5B|0|5D 2E|length|2A|300|29 29 3B|"; content:"child_creator.click|28 29 3B|",within 100; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18523; rev:5; service:http; )
00309 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"child_creator|20 3D 20|document|2E|createElement|28 22 3C|A target|3D 27|_blank|27|"; content:"document.body.insertBefore|28|child_creator|29 3B|",within 200; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18522; rev:5; service:http; )
00310 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"child_element|20 3D 20|child|2E|document|2E|createElement|28 22 22 29 3B|"; content:"child_element|2E|appendChild|28|parent_element|29 3B|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18521; rev:5; service:http; )
00311 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML exploit attempt"; flow:to_client,established; content:"try { window.open().document.appendChild(document)|3B| } catch(e) {}"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18520; rev:6; service:http; service:imap; service:pop3; )
00312 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"filler|20 2B 3D 20|unescape|28 22 25|u0000|25|u0000"; content:"obj|2E|insertBefore|28|document|2E|createElement|28|filler|29 29 3B|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18519; rev:5; service:http; )
00313 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML comment creation attempt"; flow:to_client,established; content:"|61 00 72 00 65 00 6E 00 74 00 5F 00 65 00 6C 00 65 00 6D 00 65 00 6E 00 74 00 2E 00 61 00 70 00 70 00 65 00 6E 00 64 00 43 00 68 00 69 00 6C 00 64 00 28 00 64 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 2E 00 63 00 72 00 65 00 61 00 74 00 65 00 43 00 6F 00 6D 00 6D 00 65 00 6E 00 74 00 28 00 73 00 4D 00 53 00 48 00 54 00 4D 00 4C 00 5F 00 68 00 65 00 61 00 70 00 5F 00 73 00 70 00 72 00 61 00 79 00 29 00 29 00 3B 00|"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:18518; rev:6; service:http; )
00357 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt"; flow:to_client,established; content:"302 Redirect",nocase; http_header; content:"Location|3A 20|cdl|3A 2F 2F|",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2011-1262; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-admin; sid:19245; rev:4; service:http; )
00389 alert tcp $EXTERNAL_NET 80 -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Windows ShellExecute and Internet Explorer 7 url handling code execution attempt"; flow:to_client,established; content:"BEGIN|3A|VCARD"; pcre:"/^URL\x3b\w+\x3amailto\x3a[^\n]*%[^\n]*\.(cmd|bat)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,technet.microsoft.com/en-us/security/advisory/943521; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-057; classtype:attempted-user; sid:12664; rev:7; service:http; )
00465 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_client,established; content:"offsetParent",fast_pattern; content:"null",within 10,nocase; content:"createElement"; content:"datalist",within 20; content:"createElement"; content:"table",within 20; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26668; rev:1; service:http; service:imap; service:pop3; )
00538 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Works WkImgSrv.dll ActiveX control code execution attempt"; flow:to_client,established; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; file_data; content:"WksPictureInterface"; pcre:"/var num \x3D (-1|168430090)\x3B/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28820; reference:cve,2008-1898; classtype:attempted-user; sid:16740; rev:4; service:http; )
00554 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Works WkImgSrv.dll ActiveX control exploit attempt"; flow:to_client,established; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; file_data; content:"WksPictureInterface"; content:"num|20 3D 20|168430090"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,28820; reference:cve,2008-1898; classtype:attempted-user; sid:20901; rev:4; service:http; )
00693 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole Exploit Kit JavaScript carat string splitting with hostile applet"; flow:to_client,established; content:"<html><body><applet|20|code=",nocase; content:"|20|archive=",distance 0,nocase; content:"display|3A|none|3B|",distance 0,nocase; pcre:"/([@\x2da-z0-9]+?\x5e){10}/smi"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21438; rev:4; service:http; )
00694 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit pdf download"; flow:to_client, established; flowbits:isset, blackhole.pdf; http_header; content:"application/pdf"; file_data; pkt_data; content:"arr="; pcre:"/\d+(.)\d+\1\d+\1\d+\1\d+\1\d+\1/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21344; rev:3; service:http; )
00764 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Possible malicious Jar download attempt - specific-structure"; flow:to_client,established; http_header; content:"|3B 20|filename|3D|",nocase; content:".jar",within 4,distance 8,nocase; pcre:"/filename\x3d\w{8}\.jar/i"; file_data; pkt_data; content:"PK|03 04|",depth 4; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:cve,2013-0422; classtype:trojan-activity; sid:24798; rev:4; service:http; )
00779 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible Exploit Kit"; flow:to_client,established; flowbits:isset,java_user_agent; http_header; content:!"FTB_Launcher.exe",nocase; content:"filename="; file_data; pkt_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/11/cve-2012-5076-massively-adopted.html; classtype:trojan-activity; sid:25042; rev:2; service:http; )
00884 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Redkit exploit kit obfuscated portable executable"; flow:to_client,established; http_header; content:"filename=setup.exe"; file_data; pkt_data; content:"|8B 7F AA 11 CE 52 0A 3D 76|",depth 9; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26349; rev:2; service:http; )
00924 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit executable download"; flow:to_client,established; file_data; http_header; content:"filename="; pkt_data; content:".exe",within 4,distance 24; http_header; pcre:"/filename\=[a-z0-9]{24}\.exe/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26891; rev:1; service:http; )
00925 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Flashpack/Safe/CritX Exploit Kit jar file download"; flow:to_client,established; file_data; http_header; content:"filename="; pkt_data; content:".jar",within 4,distance 24; http_header; pcre:"/filename\=[a-z0-9]{24}\.jar/"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26892; rev:1; service:http; )
00944 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple exploit kit Portable Executable downloaded when mp3 is declared"; flow:to_client,established; http_header; content:"filename="; content:"mp3",within 25; content:"|0D 0A|",within 4; file_data; pkt_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27005; rev:3; service:http; )
00962 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Unknown Malvertising Exploit Kit stage-1 redirect"; flow:to_client,established; content:"<html><body><script>|0A|var ",fast_pattern; content:"document.createElement(",within 80; content:".setAttribute(|22|archive|22|, ",within 65; content:".setAttribute(|22|codebase|22|, ",within 65; content:".setAttribute(|22|id|22|, ",within 65; content:".setAttribute(|22|code|22|, ",within 65; content:"|22|)|3B 0A|document.body.appendChild(",within 65; content:"</script>|0A|</body>|0A|</html>|0A 0A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:27086; rev:1; service:http; )
00966 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Multiple exploit kit malicious jar file downloaded when exe is declared"; flow:to_client,established; http_header; content:"filename="; content:"exe",within 25,nocase; file_data; pkt_data; content:"PK"; content:".class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:27108; rev:1; service:http; )
00988 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-EXECUTABLE Microsoft Windows Authenticode signature verification bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"|E0 00 22 01 0B 01 0A 00 00 64 00 00 00 2E 00 00|",fast_pattern; content:"|00 B0 00 00 50 0E 00 00 30 15 00 00 1C 00 00 00|",within 16,distance 112; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:cve,2010-0151; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-024; classtype:attempted-user; sid:26590; rev:2; service:http; service:imap; service:pop3; )
01250 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Excel file attachment detected"; flow:to_client,established; content:".xls"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exls[\x22\x27\s]/si"; flowbits:set,file.xls; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20792; rev:7; service:imap; service:pop3; )
01252 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Word file attachment detected"; flow:to_client,established; content:".doc"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2edoc[\x22\x27\s]/si"; flowbits:set,file.doc; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20795; rev:6; service:imap; service:pop3; )
01254 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_client,established; content:".swf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eswf[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20798; rev:7; service:imap; service:pop3; )
01256 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Visio file attachment detected"; flow:to_client,established; content:".vsd"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2evsd[\x22\x27\s]/si"; flowbits:set,file.visio; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20854; rev:5; service:imap; service:pop3; )
01259 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Video Spirit file attachment detected"; flow:to_client,established; content:".visprj"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2evisprj[\x22\x27\s]/si"; flowbits:set,file.visprj; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20893; rev:6; service:imap; service:pop3; )
01261 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY X PixMap file attachment detected"; flow:to_client,established; content:".xpm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2expm[\x22\x27\s]/si"; flowbits:set,file.xpm; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20905; rev:5; service:imap; service:pop3; )
01263 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY DXF file attachment detected"; flow:to_client,established; content:".dxf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2edxf[\x22\x27\s]/si"; flowbits:set,file.dxf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20907; rev:4; service:imap; service:pop3; )
01265 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Media ASF file attachment detected"; flow:to_client,established; content:".asf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2easf[\x22\x27\s]/si"; flowbits:set,file.asf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20909; rev:5; service:imap; service:pop3; )
01267 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY EPS file attachment detected"; flow:to_client,established; content:".eps"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eeps[\x22\x27\s]/si"; flowbits:set,file.eps; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20911; rev:5; service:imap; service:pop3; )
01269 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY XML Shareable Playlist Format file attachment detected"; flow:to_client,established; content:".xspf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exspf[\x22\x27\s]/si"; flowbits:set,file.xspf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20913; rev:4; service:imap; service:pop3; )
01272 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Pagemaker file attachment detected"; flow:to_client,established; content:".pmd"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epmd[\x22\x27\s]/si"; flowbits:set,file.pmd; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20925; rev:5; service:imap; service:pop3; )
01275 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY QCP file attachment detected"; flow:to_client,established; content:".qcp"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eqcp[\x22\x27\s]/si"; flowbits:set,file.qcp; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20935; rev:5; service:imap; service:pop3; )
01281 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_client,established; content:".f4v"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ef4v[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20941; rev:5; service:imap; service:pop3; )
01283 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_client,established; content:".f4p"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ef4p[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20943; rev:5; service:imap; service:pop3; )
01285 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_client,established; content:".f4a"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ef4a[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20945; rev:5; service:imap; service:pop3; )
01287 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Shockwave Flash file attachment detected"; flow:to_client,established; content:".f4b"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ef4b[\x22\x27\s]/si"; flowbits:set,file.swf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20947; rev:5; service:imap; service:pop3; )
01315 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY TTE file attachment detected"; flow:to_client,established; content:".tte"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ette[\x22\x27\s]/si"; flowbits:set,file.ttf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20978; rev:6; service:imap; service:pop3; )
01317 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY OTF file attachment detected"; flow:to_client,established; content:".otf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eotf[\x22\x27\s]/si"; flowbits:set,file.ttf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20980; rev:6; service:imap; service:pop3; )
01319 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office PowerPoint file attachment detected"; flow:to_client,established; content:".ppt"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eppt[\x22\x27\s]/si"; flowbits:set,file.ppt; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:20982; rev:5; service:imap; service:pop3; )
01326 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY PDF file attachment detected"; flow:to_client,established; content:".pdf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epdf[\x22\x27\s]/si"; flowbits:set,file.pdf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21035; rev:5; service:imap; service:pop3; )
01329 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY AVI file attachment detected"; flow:to_client,established; content:".avi"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eavi[\x22\x27\s]/si"; flowbits:set,file.avi; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21061; rev:5; service:imap; service:pop3; )
01332 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY MPEG video stream file attachment detected"; flow:to_client,established; content:".mpeg"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2empeg[\x22\x27\s]/si"; flowbits:set,file.mpeg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21110; rev:6; service:imap; service:pop3; )
01337 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY XSL file attachment detected"; flow:to_client,established; content:".xsl"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exsl[\x22\x27\s]/si"; flowbits:set,file.xml; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21283; rev:3; service:imap; service:pop3; )
01340 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY XSLT file attachment detected"; flow:to_client,established; content:".xslt"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exslt[\x22\x27\s]/si"; flowbits:set,file.xml; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21286; rev:3; service:imap; service:pop3; )
01344 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY paq8o file attachment detected"; flow:to_client,established; content:".paq8o"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epaq8o[\x22\x27\s]/si"; flowbits:set,file.zip; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21411; rev:4; service:imap; service:pop3; )
01347 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY CHM file attachment detected"; flow:to_client,established; content:".chm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2echm[\x22\x27\s]/si"; flowbits:set,file.chm; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21478; rev:2; service:imap; service:pop3; )
01351 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY XML file attachment detected"; flow:to_client,established; content:".xml"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exml[\x22\x27\s]/si"; flowbits:set,file.xml; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21499; rev:2; service:imap; service:pop3; )
01354 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY PNG file attachment detected"; flow:to_client,established; content:".png"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epng[\x22\x27\s]/si"; flowbits:set,file.png; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21613; rev:2; service:imap; service:pop3; )
01356 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY WMF file attachment detected"; flow:to_client,established; content:".wmf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ewmf[\x22\x27\s]/si"; flowbits:set,file.wmf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21615; rev:2; service:imap; service:pop3; )
01360 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY QuickDraw/PICT file attachment detected"; flow:to_client,established; content:".pct",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epct[\x22\x27\s]/si"; flowbits:set,file.pct; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21648; rev:2; service:imap; service:pop3; )
01363 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY QuickDraw/PICT file attachment detected"; flow:to_client,established; content:".pict",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epict[\x22\x27\s]/si"; flowbits:set,file.pct; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21651; rev:2; service:imap; service:pop3; )
01365 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY PLS file attachment detected"; flow:to_client,established; content:".pls"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epls[\x22\x27\s]/si"; flowbits:set,file.pls; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21687; rev:1; service:imap; service:pop3; )
01367 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY SMIL file attachment detected"; flow:to_client,established; content:".smil"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2esmil[\x22\x27\s]/si"; flowbits:set,file.smil; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21691; rev:1; service:imap; service:pop3; )
01369 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY SMI file attachment detected"; flow:to_client,established; content:".smi"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2esmi[\x22\x27\s]/si"; flowbits:set,file.realplayer.playlist; flowbits:set,file.dmg; flowbits:set,file.smi; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21695; rev:1; service:imap; service:pop3; )
01371 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY SAMI file attachment detected"; flow:to_client,established; content:".sami"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2esami[\x22\x27\s]/si"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21697; rev:1; service:imap; service:pop3; )
01373 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Excel xlw file attachment detected"; flow:to_client,established; content:".xlw"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2exlw[\x22\x27\s]/si"; flowbits:set,file.xls; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21699; rev:3; service:imap; service:pop3; )
01375 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY FlashPix file attachment detected"; flow:to_client,established; content:".fpx"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2efpx[\x22\x27\s]/si"; flowbits:set,file.fpx; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21701; rev:1; service:imap; service:pop3; )
01377 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY 4XM file attachment detected"; flow:to_client,established; content:".4xm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2e4xm[\x22\x27\s]/si"; flowbits:set,file.4xm; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21703; rev:1; service:imap; service:pop3; )
01379 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY BitTorrent torrent file attachment detected"; flow:to_client,established; content:".torrent"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2etorrent[\x22\x27\s]/si"; flowbits:set,file.torrent; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21705; rev:1; service:imap; service:pop3; )
01383 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY PFA file attachment detected"; flow:to_client,established; content:".pfa"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epfa[\x22\x27\s]/si"; flowbits:set,file.psfont; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21713; rev:1; service:imap; service:pop3; )
01386 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY PFB file attachment detected"; flow:to_client,established; content:".pfb"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epfb[\x22\x27\s]/si"; flowbits:set,file.psfont; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21716; rev:1; service:imap; service:pop3; )
01389 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY PFM file attachment detected"; flow:to_client,established; content:".pfm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epfm[\x22\x27\s]/si"; flowbits:set,file.psfont; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21719; rev:1; service:imap; service:pop3; )
01392 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY AFM file attachment detected"; flow:to_client,established; content:".afm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eafm[\x22\x27\s]/si"; flowbits:set,file.psfont; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21722; rev:1; service:imap; service:pop3; )
01395 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY ANI file attachment detected"; flow:to_client,established; content:".ani"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eani[\x22\x27\s]/si"; flowbits:set,file.ani; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21725; rev:1; service:imap; service:pop3; )
01398 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpg"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejpg[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21728; rev:1; service:imap; service:pop3; )
01400 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpeg"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejpeg[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21730; rev:1; service:imap; service:pop3; )
01402 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".pjpeg"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epjpeg[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21732; rev:1; service:imap; service:pop3; )
01404 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpe"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejpe[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21734; rev:1; service:imap; service:pop3; )
01406 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jif"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejif[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21736; rev:1; service:imap; service:pop3; )
01408 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jfi"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ejfif?[\x22\x27\s]/si"; flowbits:set,file.jpeg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21738; rev:2; service:imap; service:pop3; )
01410 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Media asx file attachment detected"; flow:to_client,established; content:".asx"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2easx[\x22\x27\s]/si"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21740; rev:2; service:imap; service:pop3; )
01412 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Embedded Open Type Font file attachment detected"; flow:to_client,established; content:".eot"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eeot[\x22\x27\s]/si"; flowbits:set,file.eot; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21742; rev:1; service:imap; service:pop3; )
01414 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY AVI file attachment detected"; flow:to_client,established; content:".avi"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eavi[\x22\x27\s]/si"; flowbits:set,file.avi; flowbits:set,file.avi.video; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21744; rev:1; service:imap; service:pop3; )
01416 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY RTF file attachment detected"; flow:to_client,established; content:".rtf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ertf[\x22\x27\s]/si"; flowbits:set,file.rtf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21746; rev:1; service:imap; service:pop3; )
01419 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY HPJ file attachment detected"; flow:to_client,established; content:".hpj"; content:"Content-Disposition: attachment|3b|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ehpj[\x22\x27\s]/si"; flowbits:set,file.hpj; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21749; rev:1; service:imap; service:pop3; )
01422 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY LNK file attachment detected"; flow:to_client,established; content:".lnk"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2elnk[\x22\x27\s]/si"; flowbits:set,file.lnk; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21854; rev:1; service:imap; service:pop3; )
01424 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_client,established; content:".zip"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; flowbits:set,file.zip; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21856; rev:1; service:imap; service:pop3; )
01426 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY WRF file attachment detected"; flow:to_client,established; content:".wrf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ewrf[\x22\x27\s]/si"; flowbits:set,file.wrf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21861; rev:4; service:imap; service:pop3; )
01428 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file attachment detected"; flow:to_client,established; content:".cov"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ecov[\x22\x27\s]/si"; flowbits:set,file.cov; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21865; rev:4; service:imap; service:pop3; )
01430 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Fax Cover page document file attachment detected"; flow:to_client,established; content:".cpe"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2ecpe[\x22\x27\s]/si"; flowbits:set,file.cov; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21867; rev:4; service:imap; service:pop3; )
01432 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY GIF file attachment detected"; flow:to_client,established; content:".gif"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2egif[\x22\x27\s]/si"; flowbits:set,file.gif; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21872; rev:1; service:imap; service:pop3; )
01434 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Office Publisher file attachment detected"; flow:to_client,established; content:".pub"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2epub[\x22\x27\s]/si"; flowbits:set,file.pub; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21884; rev:1; service:imap; service:pop3; )
01436 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY OpenType Font file attachment detected"; flow:to_client,established; content:".otf"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eotf[\x22\x27\s]/si"; flowbits:set,file.otf; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21886; rev:1; service:imap; service:pop3; )
01438 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Movie Maker file attachment detected"; flow:to_client,established; content:".mswmm"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2emswmm[\x22\x27\s]/si"; flowbits:set,file.mswmm; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21888; rev:1; service:imap; service:pop3; )
01440 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Director Movie file attachment detected"; flow:to_client,established; content:".dcr"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2edcr[\x22\x27\s]/si"; flowbits:set,file.dir; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21890; rev:1; service:imap; service:pop3; )
01442 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe Director Movie file attachment detected"; flow:to_client,established; content:".dir"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2edir[\x22\x27\s]/si"; flowbits:set,file.dir; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21892; rev:1; service:imap; service:pop3; )
01444 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Portable Executable file attachment detected"; flow:to_client,established; content:".exe"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*?\x2eexe[\x22\x27\s]/si"; flowbits:set,file.exe; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:21908; rev:1; service:imap; service:pop3; )
01449 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Visual Studio VAP file attachment detected"; flow:to_client,established; content:".vap"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2evap\x22/i"; flowbits:set,file.vap; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:22026; rev:2; service:imap; service:pop3; )
01452 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY MPEG Layer 3 playlist file attachment detected"; flow:to_client,established; content:".m3u"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2em3u\x22/i"; flowbits:set,file.m3u; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:22971; rev:1; service:imap; service:pop3; )
01454 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY MP4 file attachment detected"; flow:to_client,established; content:".mp4"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2emp4\x22/i"; flowbits:set,file.mp4; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:22993; rev:1; service:imap; service:pop3; )
01460 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY MPG video stream file attachment detected"; flow:to_client,established; content:".mpg"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2empg\x22/i"; flowbits:set,file.mpeg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:23168; rev:3; service:imap; service:pop3; )
01462 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wma"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewma\x22/i"; flowbits:set,file.asx&file.wma; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:23188; rev:2; service:imap; service:pop3; )
01465 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wmv"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewmv\x22/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:23191; rev:1; service:imap; service:pop3; )
01468 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wm"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewm\x22/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:23194; rev:1; service:imap; service:pop3; )
01471 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wax"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewax\x22/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:23197; rev:1; service:imap; service:pop3; )
01474 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wvx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewvx\x22/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:23200; rev:1; service:imap; service:pop3; )
01477 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".asx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2easx\x22/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:23203; rev:1; service:imap; service:pop3; )
01480 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Windows Media Metafile file attachment detected"; flow:to_client,established; content:".wmx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewmx\x22/i"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:23206; rev:1; service:imap; service:pop3; )
01483 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Java .class file attachment detected"; flow:to_client,established; content:".class"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eclass\x22/i"; flowbits:set,file.class; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:23637; rev:1; service:imap; service:pop3; )
01566 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY MP3 file attachment detected"; flow:to_client,established; content:".mp3"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2emp3\x22/i"; flowbits:set,file.mp3; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:24075; rev:1; service:imap; service:pop3; )
01568 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY RMF file attachment detected"; flow:to_client,established; content:".rmf"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ermf\x22/i"; flowbits:set,file.rmf; flowbits:set,file.realplayer; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:24078; rev:3; service:imap; service:pop3; )
01570 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Works file attachment detected"; flow:to_client,established; content:".wps"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ewps\x22/i"; flowbits:set,file.works; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:24080; rev:1; service:imap; service:pop3; )
01576 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY TIFF file attachment detected"; flow:to_client,established; content:".tif"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2etiff?\x22/i"; flowbits:set,file.tiff; flowbits:set,file.tiff.big; flowbits:set,file.tiff.little; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:24463; rev:1; service:imap; service:pop3; )
01579 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY FLV file attachment detected"; flow:to_client,established; content:".flv"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eflv\x22/i"; flowbits:set,file.flv; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:24472; rev:2; service:imap; service:pop3; )
01584 alert tcp $HOME_NET 143 -> $EXTERNAL_NET any ( msg:"FILE-IDENTIFY Alt-N MDaemon IMAP Server"; flow:to_client,established; content:"MDaemon"; flowbits:set,server.mdaemon; flowbits:noalert; metadata:service imap; reference:bugtraq,28245; reference:cve,2008-1358; reference:url,files.altn.com/MDaemon/Release/RelNotes_en.txt; classtype:attempted-admin; sid:24599; rev:2; service:imap; )
01590 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Computer Graphics Metafile file attachment detected"; flow:to_client,established; content:".cgm"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ecgm\x22/i"; flowbits:set,file.cgm; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:24821; rev:1; service:imap; service:pop3; )
01593 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JNLP file attachment detected"; flow:to_client,established; content:"jnlp"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ejnlp\x22/i"; flowbits:set,file.jnlp; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:24902; rev:1; service:imap; service:pop3; )
01597 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Apple Quicktime Targa Image file attachment detected"; flow:to_client,established; content:".tga"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2etga\x22/i"; flowbits:set,file.tga; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:25374; rev:1; service:imap; service:pop3; )
01599 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Portable Executable download detected"; flow:to_client,established; http_header; content:"application/octet-stream",fast_pattern,nocase; pcre:"/^Content-Type\x3a[\x20\x09]+application\/octet-stream/smi"; file_data; pkt_data; content:"MZ",within 2; flowbits:set,file.exe; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:25513; rev:1; service:http; service:imap; service:pop3; )
01600 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Portable Executable download detected"; flow:to_client,established; http_header; content:"application/x-msdos-program",fast_pattern,nocase; pcre:"/^Content-Type\x3a[\x20\x09]+application\/x-msdos-program/smi"; file_data; pkt_data; content:"MZ",within 2; flowbits:set,file.exe; flowbits:noalert; metadata:service http,service imap,service pop3; classtype:misc-activity; sid:25514; rev:1; service:http; service:imap; service:pop3; )
01604 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Csound audio file file attachment detected"; flow:to_client,established; content:".csd"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2ecsd\x22/i"; flowbits:set,file.csd; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:25605; rev:1; service:imap; service:pop3; )
01607 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".ogg"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eogg\x22/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:25929; rev:1; service:imap; service:pop3; )
01610 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".ogv"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eogv\x22/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:25932; rev:1; service:imap; service:pop3; )
01613 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".oga"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eoga\x22/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:25935; rev:1; service:imap; service:pop3; )
01616 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".ogx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eogx\x22/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:25938; rev:1; service:imap; service:pop3; )
01619 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".spx"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2espx\x22/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:25941; rev:1; service:imap; service:pop3; )
01622 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Ogg file attachment detected"; flow:to_client,established; content:".opus"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2eopus\x22/i"; flowbits:set,file.ogg; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:25944; rev:1; service:imap; service:pop3; )
01627 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Internet Explorer HTML Component file attachment detected"; flow:to_client,established; content:".htc"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2ehtc[\x22\x27\s]/si"; flowbits:set,file.htc; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:26127; rev:1; service:imap; service:pop3; )
01632 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Metalink File file attachment detected"; flow:to_client,established; content:".metalink"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2emetalink[\x22\x27\s]/si"; flowbits:set,file.metalink; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:26422; rev:1; service:imap; service:pop3; )
01635 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Stream redirector file attachment detected"; flow:to_client,established; content:".asx"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2easx[\x22\x27\s]/si"; flowbits:set,file.asx; flowbits:noalert; metadata:service imap,service pop3; reference:url,msdn.microsoft.com/en-us/library/dd562372%28v=vs.85%29.aspx; classtype:misc-activity; sid:26456; rev:1; service:imap; service:pop3; )
01639 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY maplet file attachment detected"; flow:to_client,established; content:".maplet"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2emaplet\x22/i"; flowbits:set,file.maplet; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:26515; rev:1; service:imap; service:pop3; )
01642 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY maplet bin file attachment detected"; flow:to_client,established; content:".bin"; content:"Content-Disposition: attachment|3B|"; content:"filename=|22|",nocase; pcre:"/filename=\x22[^\x22]*\x2emaplet\x22/i"; flowbits:set,file.maplet.bin; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:26518; rev:1; service:imap; service:pop3; )
01645 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Android APK download file attachment detected"; flow:to_client,established; content:".apk"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2eapk[\x22\x27\s]/si"; flowbits:set,file.apk; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:26903; rev:1; service:imap; service:pop3; )
01647 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Trimble SketchUp file attachment detected"; flow:to_client,established; content:".skp"; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2eskp[\x22\x27\s]/si"; flowbits:set,file.skp; flowbits:noalert; metadata:service imap,service pop3; classtype:misc-activity; sid:27275; rev:1; service:imap; service:pop3; )
01699 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Jar file downloaded when zip is defined"; flow:to_client,established; http_header; content:"filename="; content:".zip|0D 0A|",distance 0; file_data; pkt_data; content:"PK",depth 2; content:".class",distance 0; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:26292; rev:2; service:http; )
01723 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime Environment Pack200 Decompression Integer Overflow attempt"; flow:to_client,established; http_header; content:"Content-Encoding|3A|",nocase; content:"pack200-gzip",within 20,nocase; file_data; pkt_data; content:"|CA FE D0 0D|"; content:"|C5 FC FC FC FC 00 D6|",within 50,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,32608; reference:cve,2008-5352; classtype:misc-attack; sid:17562; rev:8; service:http; )
01833 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Apple QuickTime HTTP error response buffer overflow"; flow:to_client,established; flowbits:isset,quicktime_agent; content:"HTTP/1.1 404"; isdataat:256,relative; content:!"|0A|",within 256; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,27225; reference:cve,2008-0234; classtype:attempted-user; sid:13516; rev:7; service:http; )
02233 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER overly large XML file MSXML heap overflow attempt"; flow:to_client,established; file_data; http_header; content:"Content-Length|3A|"; pcre:"/^Content-Length\x3a\s*0*([1-9][0-9]{8}|[7-9][0-9]{8})/mi"; pkt_data; content:"<?xml ",depth 100,fast_pattern; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2013-0006; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-002; classtype:attempted-user; sid:25270; rev:2; service:http; )
02250 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Oracle JRE Java Platform SE and Java Deployment Toolkit plugins code execution attempt - java-deployment-toolkit"; flow:to_client,established; http_header; content:"application/java-deployment-toolkit",nocase; file_data; pkt_data; content:"-J-jar"; pcre:"/http\x3A\s+-J-jar\s+-J[^\s]+\x2Ejar/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16550; rev:5; service:http; )
02251 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Oracle JRE Java Platform SE and Java Deployment Toolkit plugins code execution attempt - npruntime-scriptable-plugin"; flow:to_client,established; http_header; content:"application/npruntime-scriptable-plugin|3B|deploymenttoolkit",nocase; file_data; pkt_data; content:"-J-jar"; pcre:"/http\x3A\s+-J-jar\s+-J[^\s]+\x2Ejar/i"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16549; rev:5; service:http; )
02404 alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Loaderz Web Shell"; flow:to_client,established; content:"/* Loader|27|z WEB Shell v"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:23829; rev:1; service:http; )
02405 alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Alsa3ek Web Shell"; flow:to_client,established; content:"<?php /* Cod3d by Mr.Alsa3ek and Al-Swisre"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:trojan-activity; sid:23830; rev:1; service:http; )
02438 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION known JavaScript obfuscation routine"; flow:to_client,established; content:"String.fromCharCode|28|parseInt"; content:"String.fromCharCode|28|",within 1000; content:".charCodeAt|28|",within 100; content:".replace",within 100; pcre:"/\.replace\x28\x2F[^\x2F]+\x2F[A-Z]*\x2C(\x22\x22|\x27\x27)/smi"; metadata:policy balanced-ips drop,policy security-ips drop,service http; classtype:attempted-user; sid:17111; rev:6; service:http; )
02554 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR DarkSeoul related wiper"; flow:to_client,established; content:"JO840112-CRAS8468-11150923-PCI8273V"; file_data; content:"|5F 0F 94 C0 5E C9 C3 53 56 8B 74 24 0C 33 DB 57 39 1E 7E 19 8D BE 78 01 00 00 FF 37 56 FF 96 A0|"; content:"taskkill /F /IM pasvc.exe"; content:"GIt%"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/en/file/510f83af3c41f9892040a8a80b4f3a4736eebee2ec4a7d4bfee63dbe44d7ecff/analysis/; classtype:trojan-activity; sid:26326; rev:1; service:http; service:imap; service:pop3; )
02555 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR Windows vernot download"; flow:to_client,established; content:"|2F|res|2F 7C|1|7C|2|7C|3|7C|4|7C|5|7C|5|7C|5|7C|6|7C|5|7C|7|7C|8|7C|9|7C|10|7C|1|7C|5|7C|11|7C|12|7C|700|7C|"; file_data; content:"|7C 5B|Z/1413617015|7C|com.evernote.edam.type.NoteAttributes/3819593128|7C 5B|B/3308590456|7C|"; content:"&targetUrl=%2FHome.action&targetUrl=%2FHome.action&login=%E7%99%BB%E5%BD%95&_sourcePage="; content:"$_$Today is a very important day for me.$"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/en/file/e21921abd435f1523f41a040b8423f123487c1d9e8e5443ee219589ad8235e63/analysis/; classtype:trojan-activity; sid:26328; rev:1; service:http; service:imap; service:pop3; )
02556 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR Jokra dropper download"; flow:to_client,established; content:"|05 C4 89 84 24 70 1A 30 5B 82 44 8D 79 22 75 04 67 09 4E 33 7B|"; file_data; content:"|93 4C C8 83 0C B8 72 42 06 39 F4 02 84 DB 02 F8 CE 80 1C|",nocase; content:"UPX!",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/en/file/422c767682bee719d85298554af5c59cf7e48cf57daaf1c5bdd87c5d1aab40cc/analysis/; classtype:trojan-activity; sid:26332; rev:1; service:http; service:imap; service:pop3; )
03090 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.MiniFlame C&C command response attempt"; flow:to_client,established; flowbits:isset,malware.miniflame; content:"|0D 0A|<!-- "; pcre:"/^<!--\s+[\w]{52,}\s+-->\r\n/smi"; flowbits:unset,malware.miniflame; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24594; rev:1; service:http; service:imap; service:pop3; )
03135 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=PostalReceipt.zip|0D 0A|"; file_data; pkt_data; content:"PostalReceipt.exe"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25578; rev:2; service:http; )
03136 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake bookinginfo HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=BookingInfo.zip|0D 0A|"; file_data; pkt_data; content:"BookingInfo.exe"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25579; rev:2; service:http; )
03137 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake bookingdetails HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=BookingDetails.zip|0D 0A|"; file_data; pkt_data; content:"BookingDetails.exe"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25580; rev:2; service:http; )
03138 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Java.Trojan.FlashPlayer file download attempt"; flow:to_client,established; http_header; content:"filename=",nocase; pkt_data; content:"FlashPlayer.jar",within 17,fast_pattern; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:url,www.virustotal.com/file/9324faaed6c7920f1721b60f81e1b04fbe317dedf9974bdfa02d8fcd1f0be18f/analysis/; classtype:trojan-activity; sid:25764; rev:2; service:http; service:imap; service:pop3; )
03140 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=Postal-Receipt.zip|0D 0A|"; file_data; pkt_data; content:"Postal-Receipt.exe"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:26261; rev:1; service:http; )
03143 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; http_header; content:"-2013.zip|0D 0A|"; content:"-",within 1,distance -14; file_data; pkt_data; content:"-2013.exe"; content:"-",within 1,distance -14; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1; service:http; )
03146 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; content:"_0000=",fast_pattern; http_cookie; content:"SL_"; content:"_0000=",within 8; metadata:impact_flag red,policy security-ips drop,ruleset community,service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21845; rev:8; service:http; )
03150 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; http_stat_code; content:"302"; pkt_data; content:"=_"; content:"_|5C 3B| domain=",within 11,distance 1; http_cookie; pcre:"/^[a-z]{5}\d=_\d_/"; metadata:impact_flag red,policy security-ips drop,ruleset community,service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21851; rev:6; service:http; )
03151 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake delivery information phishing attack"; flow:to_client,established; http_header; content:"|3B| filename="; content:"Delivery_Information_ID-"; file_data; pkt_data; content:"Delivery_Information_ID-"; content:".exe",within 50; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community,service http; classtype:trojan-activity; sid:26660; rev:1; service:http; )
03402 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"PUA-ADWARE Adware.MediaGetInstaller inbound connection - destination ip infected"; flow:to_client,established; content:"MediagetDownloaderInfo"; http_cookie; content:"MediagetDownloaderInfo"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/72e86852d56b35cf19ae86c9fb37f8b65b8e3038a9a1e2c77532f254fe4f662a/analysis/; classtype:misc-activity; sid:21644; rev:3; service:http; )
03440 alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any ( msg:"PUA-OTHER mIRC PRIVMSG message processing overflow attempt"; flow:to_client,established; isdataat:317; content:"PRIVMSG"; pcre:"/[^\x3a\s]{309}\sPRIVMSG/i"; metadata:policy balanced-ips drop,policy security-ips drop,service ircd; reference:bugtraq,31552; reference:cve,2008-4449; classtype:attempted-user; sid:15711; rev:3; )
03505 alert tcp $HOME_NET 143 -> $EXTERNAL_NET any ( msg:"SERVER-MAIL Qualcomm WorldMail Server Response"; flow:established,to_client; content:"WorldMail IMAP4 Server"; flowbits:set,qualcom.worldmail.ok; flowbits:noalert; metadata:service imap; classtype:protocol-command-decode; sid:17327; rev:8; service:imap; )
03737 alert tcp $EXTERNAL_NET [80,8090] -> $HOME_NET any ( msg:"SERVER-OTHER Nullsoft Winamp Ultravox streaming malicious metadata"; flow:to_client,established; http_header; content:"misc/ultravox"; file_data; pkt_data; content:"|5A|",within 1; content:"|39 01|",within 2,distance 1; content:"<artist>",distance 0,nocase; isdataat:266,relative; content:!"</artist>",within 256; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0065; classtype:attempted-user; sid:13520; rev:7; service:http; )
03738 alert tcp $EXTERNAL_NET [80,8090] -> $HOME_NET any ( msg:"SERVER-OTHER Nullsoft Winamp Ultravox streaming malicious metadata"; flow:to_client,established; http_header; content:"misc/ultravox"; file_data; pkt_data; content:"|5A|",within 1; content:"|39 01|",within 2,distance 1; content:"<name>",distance 0,nocase; isdataat:266,relative; content:!"</name>",within 256; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0065; classtype:attempted-user; sid:20110; rev:4; service:http; )
03741 alert tcp $EXTERNAL_NET [80,8090] -> $HOME_NET any ( msg:"SERVER-OTHER Nullsoft Winamp Ultravox streaming malicious metadata"; flow:to_client,established; content:"misc/ultravox"; content:"<name>",distance 0,nocase; isdataat:266,relative; content:!"</name>",within 256; pcre:"/Content-Type\x3A\s*misc/ultravox.+?(\r?\n){2}\x5A.9\x01/is"; metadata:policy balanced-ips drop,policy security-ips drop,service http; reference:cve,2008-0065; classtype:attempted-user; sid:13521; rev:6; service:http; )
END OF CODE